Hi All,
I am trying to provide security solution for a Cross site request forgery issue.
Solution:
*********
1 using a filter, generated a Random number using Secure Random class, and add the same in a session variable
2 In a
JSP, i have added a Hidden variable that gets populated with the Value generated by the filter class
3 On submitting the page, in the action
servlet, i am checking whether the value generated by the filter is same as the value currently in the JSP hidden variable, if same i will process the request, if not i send him a error page.
Note : For each and every hit(from page to page), a new random number is genrated.
Problem:
********
This works 100% fine when i am trying to access any .jsp files, but this does not work when i try to access .do service.
I knew that, on accessing a .do file, it first calls the controller, and based on the controller only the view page loads. since i am checking in the action servlet for the hidden variable that is not populated in JSP at that point of time, i am getting a error page, even though a valid course of action takes place.
Any solution for this, i am very Confused, any sort of help would he highly helpfull.
Regards
Siva