Results 1 to 3 of 3

Thread: Random Request nonce in Spring Security

  1. Mar 10th, 2011, 08:53 AM #1
    CrisLander
    CrisLander is offline Junior Member
    Join Date
    Mar 2011
    Posts
    2

    Default Random Request nonce in Spring Security

    Hi everyone,

    I've been looking at Spring Security for authentication and authorization, and there's something I haven't been able to find: A synchronizer token pattern, such as described in the OWASP: http://www.owasp.org/index.php/Cross...oken_Pa ttern

    Basically, it works like this: In addition to having a session cookie with a session token, when a Web application formulates a request (by generating a link or form that causes a request when submitted or clicked by the user), the application should include a hidden input parameter with a common name such as "CSRFToken". The value of this token must be randomly generated such that it cannot be guessed by an attacker. This random token is included in each user request, and when a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request as compared to the token found in the session. If the token is not found within the request or the value provided does not match the value within the session, then the request should be aborted and the event logged as a potential CSRF attack in progress. This token can be renewed whenever wanted, going as far as renewing it for every request.

    How can I implement this random token in Spring Security? Is it already implemented, and I just haven't found it? Can I create a custom property in the Security Context where I can store the random token for the current user? Bear in mind, this is different than a session token, the idea is that even if someone steals a cookie and compromises a session cookie, they still wouldn't have the security token and thus would be rejected.
    Reply With Quote Reply With Quote
  2. Mar 10th, 2011, 09:34 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    Synchronizer tokens require integration with the actual view technology you are using, so it's not something that is supported by Spring Security.

    I'd recommend you take a look at HDIV, which provide this and much more. You can also monitor and vote for this issue.
    Spring - by Pivotal
    twitter @tekul
    Reply With Quote Reply With Quote
  3. Mar 11th, 2011, 03:21 AM #3
    CrisLander
    CrisLander is offline Junior Member
    Join Date
    Mar 2011
    Posts
    2

    Default

    Thanks, I'll check HDIV.

    I would've thought this token would be a perfect fit for the security context, and spring security could've implemented a filter to validate it. But maybe with HDIV I'll solve my problems.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules