I'm having difficulties how to prevent CSRF against my JAX-RS webservice.
the setup
The REST-webservice provides data to a JavaScript MVC-Framework, which runs client-side. The Framework will call the webservice via ajax-requests.
All users are authenticated and the webservice methods are secured with @RolesAllowed
annotations. This works fine.
But the service is open for Cross-Site Request Forgery.
a solution
Now I understand the concept how to prevent CSRF. Tomcat (which I'm using) has a build in system to prevent it, which works with filters.
web.xml
<filter>
<filter-name>CsrfFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/index.xhtml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CsrfFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
Now you could encode all URLs with HttpServletResponse#encodeRedirectURL(String)
and use them in a form like this <form action="<%=urlActionBEncoded %>" method="POST">
the problem
Since I'm not using jsp/jsf this won't work for me. All requests are made via ajax, so I'd have to inject these encoded URLs in the JavaScript code.
questions
Thanks in advance :)
RESTful webservices are stateless, with authentication for non-form based clients performed on every request. There shouldn't be a problem there since authentication is on every request (see the comments here). However, if using another framework, then you want to use the "Synchronizer Token Pattern". You pass a generated token to the server which the server validates. If you aren't using forms to set this token, then I'm assuming that you'd need to read into which lib to use to safely include it in your requests from the client to the server.
What exactly do you mean by "inject the encoded URL in the JavaScript?". Are you talking about how to encode your request params/query strings? Here is someone using the URL to prevent CSRF.
Some interesting links when I searched:
http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/springsecurity.html http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/web-app-security.html https://code.google.com/p/csrf-filter/