> Yep, just read that. If that is the case, this is an incredibly easy > fix for non-ajax situations: > > 1. Create a <jsec:sessionId/> tag that prints out a hidden field: > <input type="hidden" name="JSESSIONID" > value="runtime_session_id_value"/> > 2. Create a Filter implementation that checks the following: > > Is there a 'JSESSIONID' parameter in the current request? > - Yes: does it match a previously set Cookie named JSESSIONID? > - Yes: request is valid, let it through > - No: potential CSRF attack, show access denied view > - No: no JSESSIOND parameter - let the request through as normal. > > 3. Add this to the jsecurity [urls] definition: > /** = antiCsrf
Has this been implemented? I'm contemplating adding CSRF protection in the Grails plugin via a <jsec:form/> tag, but if it's in JSecurity core, I'll go with that. Cheers, Peter PS I won't be adding anything for a month or two yet :) I'm just reading up on OWASP and CWE for my security chapter. PPS Graeme/Jeff cover JSecurity in the Definitive Guide to Grails 2nd edition
