@Override public Map<String, String> getExtraHiddenFields(final HttpServletRequest request) { final Map<String, String> hiddenFields = new HashMap<String, String>(); hiddenFields.put( CSRFTokenManager.CSRF_PARAM_NAME, CSRFTokenManager.getTokenForSession(request.getSession())); return hiddenFields; }
@Override public boolean preHandle( final HttpServletRequest request, final HttpServletResponse response, final Object handler) throws Exception { if (shouldCheckCSRFTokenForRequest(request)) { // This is a POST request - need to check the CSRF token final String sessionToken = CSRFTokenManager.getTokenForSession(request.getSession()); final String requestToken = CSRFTokenManager.getTokenFromRequest(request); if (sessionToken.equals(requestToken)) { return true; } else { response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad or missing CSRF value"); return false; } } else { { // Not a POST - allow the request return true; } } }