add csrf protection

[plentz]

a few ideas

• http://www.playframework.com/documentation/2.2.x/JavaCsrf
• http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/
• http://stackoverflow.com/questions/9290328/spring-3-1-mvc-spring-security-3-1-csrf-token
• http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
• http://blog.bigbinary.com/2012/05/10/csrf-and-rails.html

[Turini]

I'm going to work on this

[dobau]

Nice Turini, but are you going implement a plugin or a vraptor feature?

[asouza]

In Spring MVC you can use CSRF without any view tags... It only put a variable ${csrfTokenValue} and ${csrfTokenParameterName} in the request and you can use as you wish. Of course, if you want to create some tags, nobody will complain :).

Em seg, 24 de ago de 2015 às 12:27, Rafael Alves notifications@github.com escreveu:

Nice Turini, but are you going implement a plugin or a vraptor feature?

— Reply to this email directly or view it on GitHub https://github.com/caelum/vraptor4/issues/509#issuecomment-134250191.

[Turini]

Hi @dobau. I'm implementing it as a feature toggle on core, disabled by default. And without any tags, just like Spring MVC (tks @asouza) and MVC 1.0 spec does:

<input type="hidden" name="${csrf.name}" value="${csrf.token}"/>

[nbluis]

Hello @Turini . Has any evolution been made about this?

[Turini]

not yet, @nbluis. It's in a freeze time by now, but I hope to work on this feature soon. any help would be very welcome (:

[nbluis]

@Turini thanks for the feedback.

I think I'll implement using the OWASP CSRF Guard.

Can be easily added to my current project. It can serve as a reference when doing this implementation.