ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Yong (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Thu, 26 Dec 2019 16:27:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17003691#comment-17003691

James Yong commented on OFBIZ-11306:

Hi Jacques,

Thanks for the feedback.

I have updated the patch with the following changes:
1) Removed CSRFGuard library
2) Simplified the logic for securityCsrfToken in RequestMap i.e. the general rule mentioned
above is removed.
3) Switched to UtilCache (instead of http sessions) to store tokens after user login, as some
pages contain links to other webapps e.g. acctg trans page contains links to partymgr's viewprofile.
Still using sessions to store tokens for ajax and before user login.
4) Extended to rest of the themes from Rainbow Stone.
5) Removed the code which exempts request uri that starts with "Lookup" from CSRF token check.

> POC for CSRF Token
> ------------------
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 

This message was sent by Atlassian Jira

View raw message