Java EE 8 By Example
  • Introduction
  • Overview
    • Example Codes
  • JSF 2.3
    • Activating CDI in JSF 2.3
    • Run applications in JSF 2.2 compatible mode
    • CDI alignment
    • CDI compatible @ManagedProperty
    • Inject support in Converter, Validator and Behavor
    • Websocket support
    • UIData improvements
    • Class level bean validation with f:valdiateWholeBean
    • Java 8 DateTime support
    • PostRenderViewEvent: publising events after view is rendered
    • Search expression framework
  • CDI 2.0
    • Java SE support
    • Event Priority
    • Async Events
    • Register Beans dynamicially
    • Configurators and Intercept Producers
  • JPA 2.2
    • Java 8 Datetime support
    • Return Stream based result from Query
    • More CDI Alignments
  • JSON-B 1.0
  • JSON-P 1.1
  • Bean Validation 2.0
  • JAXRS 2.1
    • Async improvements
    • Server Sent Event
    • Reactive Client
  • Java EE Security API 1.0
    • HttpAuthenticationMechanism
    • IdentityStore
    • SecurityContext
  • Servlet 4.0
    • Server Push
    • Runtime Discovery of Servlet Mappings
    • Http Trailer
  • MVC 1.0
    • Getting started with MVC
    • Handling form submission
    • Exception handling and form validation
    • Processing PUT and DELETE methods
    • Page navigation
    • MVC and CDI
    • Security
    • Bean parameter conversion
    • View engine
Powered by GitBook
On this page
  • CSRF protection
  • MvcContext
  • Source Codes

Was this helpful?

  1. MVC 1.0

Security

MVC has built-in some security features to protect pages, eg. CSRF protection.

CSRF protection

MVC has built-in CSRF protection, there is a Csrf interface.

  1. Configure Csrf in the Application class. Override the getProperties method.

     @Override
 public Map<String, Object> getProperties() {
     Map<String, Object> props = new HashMap<>();

     props.put(Csrf.CSRF_PROTECTION, Csrf.CsrfOptions.EXPLICIT);

     //view folder
     //props.put(ViewEngine.DEFAULT_VIEW_FOLDER, ViewEngine.VIEW_FOLDER);
     return super.getProperties();
 }

    And there are some options to configure CSRF via Csrf.CsrfOptions.

    • OFF to disable Csrf.

    • EXPLICIT to enable Csrf with annotation @CsrfValid on the Controller method.

    • IMPLICIT to enable Csrf automatically. No need @CsrfValid.

  2. Add annotation @CsrfValid on the Controller method.

     @POST
 @CsrfValid
 @ValidateOnExecution(type = ExecutableType.NONE)
 public Response save(@Valid @BeanParam TaskForm form) {

 }

  3. In the view, add hidden field to insert the Csrf value.

     <input type="hidden" name="${mvc.csrf.name}" value="${mvc.csrf.token}"/>

When you run the codes on Glassfish, in the view, the Csrf field looks like:

<input value="f3ca389f-efba-4f28-afe7-2a1e7231a238" name="X-Requested-By" type="hidden" />

Every request will generate a unique X-Requested-By value.

When the form is submitted, and it will be validated by MVC provider.

MvcContext

MvcContext interface includes the contextual data of MVC, such as context path, application path, etc. And also includes MVC security, such as Csrf and Encoders.

In the above section, we have used Csrf.

At the runtime environment, MvcContext is exposed by EL ${mvc} in the view.

  • ${mvc.contextPath} will get context path.

  • ${mvc.applicationPath} will get the application path declared in the Application class.

  • ${mvc.csrf.name} generate the Csrf token name.

  • ${mvc.csrf.token} generate the Csrf token value.

  • ${mvc.encoders.js(jsValue)} will escape the js scripts.

  • ${mvc.encoders.html(htmlValue)} will escape the html snippets.

Source Codes

  1. Clone the codes from my GitHub account.

  2. Open the mvc project in NetBeans IDE.

  3. Run it on Glassfish.

PreviousMVC and CDINextBean parameter conversion

Last updated 4 years ago

Was this helpful?

After it is deployed and running on Glassfish application server, navigate in browser.

https://github.com/hantsy/ee8-sandbox/
http://localhost:8080/ee8-mvc/mvc/tasks