ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-11306) POC for CSRF Token
Date Sun, 08 Dec 2019 07:50:00 GMT
James Yong created OFBIZ-11306:
----------------------------------

             Summary: POC for CSRF Token
                 Key: OFBIZ-11306
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL APPLICATIONS
    Affects Versions: Upcoming Branch
            Reporter: James Yong
            Assignee: James Yong
             Fix For: Upcoming Branch


CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.

3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token
in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax
POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message