ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (OFBIZ-11306) POC for CSRF Token
Date Fri, 07 Feb 2020 07:54:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032169#comment-17032169
] 

Jacques Le Roux edited comment on OFBIZ-11306 at 2/7/20 7:53 AM:
-----------------------------------------------------------------

I'm currently not sure about the state of this POC: there were a few commits already.

Is it already committed to trunk?

If yes, wouldn't it be better to work it out in a feature branch so that we have a clear view
what has changes with the POC? It seems not a trivial change to me and from the brief overview
of the comments it was not an easy task and I think it needs review from others too.

Regarding the store of the tokens inside the OFBiz cache: this seems to be an invalid approach
to me. The tokens should be hold in the session or a cookie.

Maybe I am missing something so I recommend to provide the solution in a feature branch for
others to review before it gets committed to trunk.


was (Author: mbrohl):
I'm currently not sure about the state of this POC: there were a few commits already.

Is it already committed to trunk?

If yes, wouldn't it be better to work it out in a feature branch so that we have a clear view
what has changes with the POC? It seems not a trivial change to me and from the brief overview
of the comments it was not an easy task and I think it needs review from others too.

Regarding the store of the tokens inside the OFBiz cache: this seems to be an invalid approach
to me. The tokens should be hold in the session or a cookie.

Maybe I am missing something so I recommend to provide the solution in a feature branch for
others to review before it gets committed to trunk.

 

 

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, CsrfUtil.java,
OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a "time out").

> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP calls)
or OFBiz UtilCache (for authenticated HTTP calls), and verified during POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to exempt
or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the change.
Using <@ofbizUrl> macro to generate the CSRF token means there is no need to manually
add the CSRF token field to each form in the ftl files. It will save time for users doing
custom implementation and maintenance.  While there is CSRF token in the form URL, the token
is invalidated during form submission. So it's uniqueand harmless even though the CSRF token
of the form submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added through
OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token will not
change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs out or session
invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check.
(Note there are discussions that RequestMap with ‘all’ method should also not be subjected
to CSRF token check. This will be done after ensuring a separate uri is used when posting
changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the general rules
above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside the constructor
of RequestMap class) when determining the final securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message