ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-11306) POC for CSRF Token
Date Sun, 08 Dec 2019 07:50:00 GMT
James Yong created OFBIZ-11306:

             Summary: POC for CSRF Token
                 Key: OFBIZ-11306
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL APPLICATIONS
    Affects Versions: Upcoming Branch
            Reporter: James Yong
            Assignee: James Yong
             Fix For: Upcoming Branch

CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.

3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token
in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax
POST call. 

This message was sent by Atlassian Jira

View raw message