grails-gsp icon indicating copy to clipboard operation
grails-gsp copied to clipboard

Published 20 hours ago verified publisher icon grails

FormTagLib.form passes wrong method to RequestDataValueProcessor

Open askask opened this issue 6 years ago • 0 comments

Steps to Reproduce

  1. Create a Grails web application and add Spring Security Web as a dependency
  2. Configure CSRF protection in resources.groovy:
requestDataValueProcessor(org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor)
csrfFilter(org.springframework.security.web.csrf.CsrfFilter, new org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository())
  1. Create a GSP file containing a g:form element

Expected Behaviour

I expect that the CSRF token is added to the form.

Actual Behaviour

It isn't added.

Environment Information

  • Operating System: Linux
  • Grails Version: 2.5.1 (the relevant code did not change since then however)
  • JDK Version: 8
  • Container Version (If Applicable): 2.5

-

I think the problem is https://github.com/grails/grails-gsp/blob/af8bfebd63936fe29ef7abe833386b0ed00e01f3/grails-plugin-gsp/src/main/groovy/org/grails/plugins/web/taglib/FormTagLib.groovy#L395 Here the method of the form should be passed, not the method used to request the page containing the form. See also the documentaton for the RequestDataValueProcessor interface.

askask avatar Jun 08 '18 14:06 askask