ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Thu, 19 Dec 2019 02:59:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16999695#comment-16999695
] 

James Yong commented on OFBIZ-11306:
------------------------------------

Hi all,

I have updated the patch to version 2.
<@csrfTokenField> macro is removed.
The general rule as follows:
1) RequestMap configured with 'get' method will be exempted from CSRF token check.
2) RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check.
3) Request uri starting "Lookup" or equals "main" is also exempted from CSRF token check.
Setting csrf-token to false or true on the Request Map will override the general rules above.

Hi Samuel,

q1: The values used was taken from the given page. You can do a find-in-page function. Using
standard library is possible. Will look into it soon.

q2: In version 2, the map is used to store uri / token pair.

q3: Thanks for the finding. Changed to checking the RequestMap instead of request methods.

Hi Jacques,

I am using Intellij IDE. Checked out the project using the SVN link. 


> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message