This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit ba707d45be6b2db77649a5e7695c089c36a0e8c5 Author: Jacques Le Roux <[email protected]> AuthorDate: Sun Apr 5 10:48:55 2020 +0200 Implemented: POC for CSRF Token (OFBIZ-11306) Simple strategy is to rely on SameSite 'strict' value in SameSiteFilter in all supported branches. No backport needed with the changes here. Thanks: James for all the good work we did together :) --- framework/security/config/security.properties | 9 ++++++--- .../src/main/java/org/apache/ofbiz/security/CsrfUtil.java | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index d71f7db..5e195a3 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -156,7 +156,8 @@ security.token.key=security.token.key # -- no spaces after commas,no wildcard, can be extended of course... host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org -# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed +# -- By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed +# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below) SameSiteCookieAttribute= # -- The cache size for the Tokens Maps that stores the CSRF tokens. @@ -174,6 +175,8 @@ csrf.tokenName.nonAjax= # -- Default is 3 csrf.entity.request.limit= -# csrf defense strategy. Default is org.apache.ofbiz.security.CsrfDefenseStrategy if not specified. -# use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check totally. +# -- CSRF defense strategy. +# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies, +# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified. +# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute csrf.defense.strategy= \ No newline at end of file diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java index 9d400b8..fa31219 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java @@ -61,7 +61,7 @@ public class CsrfUtil { static { try { - String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", CsrfDefenseStrategy.class.getCanonicalName()); + String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", NoCsrfDefenseStrategy.class.getCanonicalName()); Class<?> c = Class.forName(className); strategy = (ICsrfDefenseStrategy)c.newInstance(); } catch (Exception e){
