I added the csrfguard.js and csrfguard.properties (referenced later in the web.xml). Then the Owasp.CsrfGuard.overlay.properties file all into the a web app directory. The .js and .properties from csrfguard I did not change. The overlay was mostly standard, is called from csrfguard.properites and looks like this:
org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
org.owasp.csrfguard.JavascriptServlet.refererPattern =
http://localhost:80.*
org.owasp.csrfguard.unprotected.Default=%servletContext%/
org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html
org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet
org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html
org.owasp.csrfguard.unprotected.Error=%servletContext%/jsp/accessdenied.jsp
org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html
org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html
org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp
org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp
org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp
org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp
org.owasp.csrfguard.unprotected.Favicon=%servletContext%/favicon.ico
Then finally to get it all working you can add a filter in your web.xml which tells CSRFGuard to inject the token and also check it. This is where the mapping go for the .js and .properties file. For example:
<webapp>
...
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/app</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/csrfguard.properties</param-value>
</context-param>
<context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
<servlet>
<servlet-name>CsrfServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>WEB-INF/csrfguard.js</param-value>
</init-param>
<init-param>
<param-name>inject-into-forms</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>inject-into-attributes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>domain-strict</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>referer-pattern</param-name>
<param-value>.*localhost.*</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>CsrfServlet</servlet-name>
<url-pattern>/csrfguard</url-pattern>
</servlet-mapping>
</web-app>