CSRF token is only validated if there are @FormParams #79

mvcbot · 2015-10-23T05:54:17Z

Original issue OZARK-63 created by Christian Kaltepoth:

The CSRF page token validation works fine in this case:

@Controller
@Path("/foobar")
public class TweetController {

  @POST
  @CsrfValid
  public String post( @FormParam("text") String text ) {
    System.out.println("CSRF page token valid!");
    return ....;
  }

}
{code}

But if I remove the controller method parameter, the check seems to get skipped and the controller method is always executed. Even if the page token is missing.

{code:java}
@Controller
@Path("/foobar")
public class TweetController {

  @POST
  @CsrfValid
  public String post( /** empty **/ ) {
    System.out.println("CSRF page token valid!");
    return ....;
  }

}

mvcbot · 2015-10-23T12:43:43Z

Comment by Santiago Pericas-Geertsen:

This is because the verification is done in a ReaderInterceptor. If there is no entity to read, the verification is skipped. This is a bit of an edge case in that regard, but perhaps we need to address it too.

mvcbot added the bug label Apr 26, 2017

mvcbot mentioned this issue Dec 7, 2018

CSRF token is only validated if there are @FormParams eclipse-ee4j/krazo#21

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF token is only validated if there are @FormParams #79

CSRF token is only validated if there are @FormParams #79

mvcbot commented Oct 23, 2015

mvcbot commented Oct 23, 2015

CSRF token is only validated if there are @FormParams #79

CSRF token is only validated if there are @FormParams #79

Comments

mvcbot commented Oct 23, 2015

mvcbot commented Oct 23, 2015