ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
Date Tue, 05 Jun 2018 11:39:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16501622#comment-16501622
] 

Jacques Le Roux commented on OFBIZ-10427:
-----------------------------------------

Following http://tomcat.10.x6.nabble.com/Help-with-CsrfPreventionFilter-tp2173495p2173508.html
and before considering creating my own code, I also tried this config (thanks APL for the
formatting) to no avail so far, I still get a 403.
{code}
Index: web.xml
===================================================================
--- web.xml	(revision 1832887)
+++ web.xml	(working copy)
@@ -46,6 +46,17 @@
     </context-param>
 
     <filter>
+        <display-name>CSRFPreventionFilter</display-name>
+        <filter-name>CSRFPreventionFilter</filter-name>
+        <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
+        <init-param>
+            <param-name>entryPoints</param-name>
+            <param-value>/webtools/control/checkLogin,/common/js/jquery/jquery-3.2.1.min.js,/common/js/jquery/jquery-migrate-3.0.0.min.js,/common/js/jquery/plugins/browser-plugin/jquery.browser-0.1.0.min.js,/common/js/jquery/ui/jquery-ui-1.12.1.min.js,/common/js/jquery/plugins/select2/js/select2-4.0.6.js,/common/js/jquery/plugins/datetimepicker/jquery-ui-timepicker-addon-1.6.3.min.js,/common/js/jquery/plugins/fjTimer/jquerytimer-min.js,/common/js/jquery/plugins/mask/jquery.mask-1.14.13.min.js,/common/js/jquery/plugins/jeditable/jquery.jeditable-1.7.3.js,/common/js/jquery/plugins/validate/jquery.validate.min.js,/common/js/plugins/OpenLayers-2.13.1-modified-for-CSP-.js,/common/js/jquery/plugins/elrte-1.3/js/elrte.min.js,/common/js/util/OfbizUtil.js,/common/js/util/fieldlookup.js,/common/js/plugins/date/date.format-1.2.3-min.js,/common/js/plugins/date/date.timezone-min.js,/common/js/util/miscAjaxFunctions.js,/common/js/util/selectMultipleRelatedValues.js,/common/js/util/util.js,/common/js/jquery/plugins/jsTree/jquery.jstree.js,/common/js/jquery/ui/js/jquery.cookie-1.4.0.js,/common/js/plugins/date/FromThruDateCheck.js,/flatgrey/js/application.js,/rainbowstone/js/less.min.js,/common/js/plugins/moment-timezone/moment-with-locales.min.js,/common/js/plugins/moment-timezone/moment-timezone-with-data.min.js,/common/js/util/setUserLocale.js,/common/js/jquery/plugins/select2/js/i18n/fr.js,/common/js/jquery/plugins/datetimepicker/i18n/jquery-ui-timepicker-fr.js,/common/js/jquery/plugins/validate/localization/messages_fr.js,/common/js/jquery/ui/i18n/datepicker-fr.js,/common/js/jquery/plugins/datejs/date-fr-FR.js,/common/js/jquery/plugins/Readmore.js-master/readmore.js,/common/js/jquery/plugins/jquery-jgrowl/jquery.jgrowl-1.4.6.min.js,/common/js/jquery/plugins/jquery-jgrowl/jquery.jgrowl-1.4.6.min.css,/common/js/jquery/plugins/elrte-1.3/css/elrte.min.css,/common/js/jquery/ui/jquery-ui-1.12.1.min.css,/common/js/jquery/plugins/datetimepicker/jquery-ui-timepicker-addon-1.6.3.min.css,/common/js/jquery/plugins/select2/css/select2-4.0.6.css,/rainbowstone/style.css,/rainbowstone/flag-icon.min.css,/rainbowstone/javascript.css</param-value>
+            <!-- <param-name>nonceCacheSize</param-name>
+            <param-value>100</param-value> -->
+        </init-param>
+    </filter>
+    <filter>
         <display-name>ControlFilter</display-name>
         <filter-name>ControlFilter</filter-name>
         <filter-class>org.apache.ofbiz.webapp.control.ControlFilter</filter-class>
@@ -64,6 +75,10 @@
         <filter-class>org.apache.ofbiz.webapp.control.ContextFilter</filter-class>
     </filter>
     <filter-mapping>
+        <filter-name>CSRFPreventionFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
         <filter-name>ControlFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
{code}
It's 

> Add a mean to handle CSRF
> -------------------------
>
>                 Key: OFBIZ-10427
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10427
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> I already worked on that in OFBiz but without success so far: https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really not simple
in OFBiz)
> * https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction
(I think preferred)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message