跳至主要内容

Getting started with Java EE 8 MVC(7)-MVC Security

MVC Security

MVC has built-in some security features to protect pages, eg. CSRF protection.

CSRF protection

MVC has built-in CSRF protection, there is a Csrf interface.
  1. Configure Csrf in the Application class. Override the getProperties method.
    @Override
public Map<String, Object> getProperties() {
    Map<String, Object> props = new HashMap<>();

    props.put(Csrf.CSRF_PROTECTION, Csrf.CsrfOptions.EXPLICIT);

    //view folder
    //props.put(ViewEngine.DEFAULT_VIEW_FOLDER, ViewEngine.VIEW_FOLDER);
    return super.getProperties();
}
    And there are some options to configure CSRF via Csrf.CsrfOptions.
    • OFF to disable Csrf.
    • EXPLICIT to enable Csrf wtih annotation @CsrfValid on the Controller method.
    • IMPLICIT to enable Csrf autmaticially. No need @CsrfValid.
  2. Add annotation @CsrfValid on the Controller method.
    @POST
@CsrfValid
@ValidateOnExecution(type = ExecutableType.NONE)
public Response save(@Valid @BeanParam TaskForm form) {
}
  3. In the view, add hidden field to insert the Csrf value.
    <input type="hidden" name="${mvc.csrf.name}" value="${mvc.csrf.token}"/>
When you run the codes on Glassfish, in the view, the Csrf field looks like:
<input value="f3ca389f-efba-4f28-afe7-2a1e7231a238" name="X-Requested-By" type="hidden" />
Every request will generate a unique X-Requested-By value.
When the form is submitted, and it will be validated by MVC provider.

MvcContext

MvcContext interface includes the contextual data of MVC, such as context path, application path, etc. And also includes MVC security, such as Csrf and Encoders.
In the above section, we have used Csrf.
At the runtime environment, MvcContext is exposed by EL ${mvc} in the view.
  • ${mvc.contextPath} will get context path.
  • ${mvc.applicationPath} will get the application path declared in the Application class.
  • ${mvc.csrf.name} generate the Csrf token name.
  • ${mvc.csrf.token} generate the Csrf token value.
  • ${mvc.encoders.js(jsValue)} will escape the js scripts.
  • ${mvc.encoders.html(htmlValue)} will escape the html snippets.

Source Codes

  1. Clone the codes from my github.com account.
    https://github.com/hantsy/ee8-sandbox/
  2. Open the mvc project in NetBeans IDE.
  3. Run it on Glassfish.
  4. After it is deployed and runging on Glassfish application server, navigate http://localhost:8080/ee8-mvc/mvc/tasks in browser.
标签:

评论

发表评论

此博客中的热门博文

Create a restful application with AngularJS and Zend 2 framework

Create a restful application with AngularJS and Zend 2 framework This example application uses AngularJS/Bootstrap as frontend and Zend2 Framework as REST API producer. The backend code This backend code reuses the database scheme and codes of the official Zend Tutorial, and REST API support is also from the Zend community. Getting Started with Zend Framework 2 Getting Started with REST and Zend Framework 2 Zend2 provides a   AbstractRestfulController   for RESR API producing. class AlbumController extends AbstractRestfulController { public function getList() { $results = $this->getAlbumTable()->fetchAll(); $data = array(); foreach ($results as $result) { $data[] = $result; } return new JsonModel(array( 'data' => $data) ); } public function get($id) { $album = $this->getAlbumTable()->getAlbum($id); return new JsonModel(array("data" =...
发表评论
阅读全文

Build a Reactive application with Angular 5 and Spring Boot 2.0

I have created a post to describe Reactive programming supports in Spring 5 and its subprojects, all codes of this article are updated the latest Spring 5 RELEASE, check spring-reactive-sample under my Github account. In this post, I will create a simple blog system, including: A user can sign in and sign out. An authenticated user can create a post. An authenticated user can update a post. Only the user who has ADMIN role can delete a post. All users(including anonymous users) can view post list and post details. An authenticated user can add his comments to a certain post. The backend will be built with the latest Spring 5 reactive stack, including: Spring Boot 2.0, at the moment the latest version is 2.0.0.M7 Spring Data MongoDB supports reactive operations for MongoDB Spring Session adds reactive support for WebSession Spring Security 5 aligns with Spring 5 reactive stack The frontend is an Angular based SPA and it will be generated by Angular CLI. The so...
10 条评论
阅读全文

JPA 2.1: Attribute Converter

JPA 2.1: Attribute Converter If you are using Hibernate, and want a customized type is supported in your Entity class, you could have to write a custom Hibernate Type. JPA 2.1 brings a new feature named attribute converter, which can help you convert your custom class type to JPA supported type. Create an Entity Reuse the   Post   entity class as example. @Entity @Table(name="POSTS") public class Post implements Serializable { private static final long serialVersionUID = 1L; @Id @GeneratedValue(strategy = GenerationType.AUTO) @Column(name="ID") private Long id; @Column(name="TITLE") private String title; @Column(name="BODY") private String body; @Temporal(javax.persistence.TemporalType.DATE) @Column(name="CREATED") private Date created; @Column(name="TAGS") private List<String> tags=new ArrayList<>(); } Create an attribute convert...
发表评论
阅读全文