What is the best way to protect our Spring MVC application from CSRF and XSS.

Is there native Spring MVC support for this?

In Spring:

Forms ( globally):

<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>

Forms ( locally):

<spring:htmlEscape defaultHtmlEscape="true" />

You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration

<http>
    <!-- ... -->
    <csrf />
</http>

Here is a blog about it.

http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html

another one.

http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC

For token generation esapi can be used. https://code.google.com/p/owasp-esapi-java/