I’m using PlayFramework 2.3 [1] on a new project of mine. Because I want the project to be safe by default, I enabled CSRF (Cross Site Request Forgery) Protection globally [2] [3].
In this project, I’m doing a pass-through of some legacy pages using a custom proxy I’ve built. These pages don’t know the concept of CSRF-Tokens and therefor need to be excluded from CSRF checking.
Unfortunately the PlayFrameworks CSRF-Filter currently only allows to either disable CSRF Protection globally and only enable it on certain actions or enable it globally and disable it nowhere… that’s not really what I want..

To accomplish my goal, I had to create a little hack.. thanks to the decorator pattern [4] it is only a few lines of code. It consists of 3 easy steps.

1. Adjust your Global.scala file like this

2. Adjust your routes file. Actions that should be excluded from the CSRF Check need a comment #NOCSRF above them like this

3. This is it basically. If you need your page to have a CSRF Token available (because it e.g. contains a login form), annotate or wrap your actions accordingly

For Scala:

• [1] http://www.playframework.org
• [2] http://www.playframework.com/documentation/2.3.x/JavaCsrf
• [3] http://www.playframework.com/documentation/2.3.x/ScalaCsrf
• [4] http://en.wikipedia.org/wiki/Decorator_pattern