Hi Team,
We identified that disabling "ValidateWhenNoSessionExists" property similar
to following can resolve original session-timeout issue raised by Hasintha.
org.owasp.csrfguard.ValidateWhenNoSessionExists = false
Please add below lines in product "distribution" pom file to correct this
behavior. This was further updated in [1] and [2] (Integration Checklist).
<!-- Update Owasp.CsrfGuard.properties file
>> with ValidateWhenNoSessionExists to disable validation on requests made
>> with no valid session -->
>
> <replace
>> file="target/wso2carbon-core-${carbon.kernel.version}/repository/conf/security/Owasp.CsrfGuard.Carbon.properties"
>> token="org.owasp.csrfguard.ValidateWhenNoSessionExists = true"
>> value="org.owasp.csrfguard.ValidateWhenNoSessionExists = false"/>
>
>
[1]
https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit
[2]
https://docs.google.com/document/d/1A1T-t6IjIaxunjlSyjsGuKSC-x9xl3kilNCTpZVy-EM/edit#
Thank you,
Ayoma.
On Fri, Jul 8, 2016 at 6:35 PM, Dulanja Liyanage <[email protected]> wrote:
>
>
> On Thu, Jul 7, 2016 at 4:53 PM, Ayoma Wijethunga <[email protected]> wrote:
>
>> Hi All,
>>
>> Original issue reported by Hasintha is relevant to how we handle session
>> timeout conditions with CSRFGuard filter. We are working on this and will
>> update with a resolution.
>>
>
> The reason for this behavior is there's no session-existence check prior
> to the form POST. Before CSRFGuard this was not a problem, because, upon a
> failure due to session timeout one of the following would have happened:
>
> 1. in the case of an ajaxprocessor - Request would be propagated to
> the respective admin service, and upon its session non-existence exception,
> will be redirected to the login page.
> 2. in the case of a non-ajaxprocessor - CarbonSecuredHttpContext will
> redirect to the login page before hitting the actual jsp/servlet.
>
> Since CSRFGuard is a filter, it intercepts before either of the above
> happen and sends a 403 forbidden - because that's what it's supposed to do.
>
> There's a platform level javascript function called sessionAwareFunction
> (in main.js) that can be used for this. Registry Browser uses that. We have
> to send the actual operation we want to do as a callback function to
> sessionAwareFunction. It will initially do a session validity check
> via /carbon/admin/jsp/session-validate.jsp and then execute what we want to
> do.
>
> We tried to come up with a centralized solution for this, but failed.
> Therefore, this need to be fixed at product-level.
>
> Please let us know if you see a better solution for this.
>
>
>> In general CSRFGuard should work without any per-page modifications,
>> since we are using JavaScript based attribute injection and header based
>> protection for AJAX requests. However, there might be special cases in
>> which these methodologies fail. Such incidences should be handled
>> case-by-case and we will be adding all the special cases we identified in
>> to the "Integration Checklist" of [1].
>>
>> We had a short offline session with Shavantha on the issue he is facing
>> and identified that there are methods that use "
>> *document.createElement('form')*" JavaScript call to build forms
>> dynamically. Since CSRFGuard JavaScript will not be able to identify such
>> forms, it is necessary to add CSRF token manually. Please see the
>> screenshot attached which is the page source of [2]. In such situations it
>> is required to use JSP Taglib to add CSRF token as an additional parameter.
>> Please follow [1] for additional details.
>>
>> We can of cause arrange quick sessions with teams to check on any
>> edge-case issues they are facing, relevant to CSRFGuard.
>>
>> [1]
>> https://docs.google.com/document/d/1LV23-hD7q1BjsruUdvM5dO4j7pIuUpzR_EYLmdfOo6k/edit#heading=h.xqvmgi6xtm6f
>> [2]
>> https://localhost:9443/t/tenant.com/carbon/user/edit-user-roles.jsp?username=ADDOMAIN%2FAdministrator699&displayName=ADDOMAIN%2FAdministrator699
>>
>> Best Regards,
>> Ayoma.
>>
>> On Thu, Jul 7, 2016 at 11:35 AM, Shavantha Weerasinghe <
>> [email protected]> wrote:
>>
>>> [+Dulanjan]
>>>
>>> Hi All
>>>
>>> When trying to add multiple roles to a user using a feature such as *Select
>>> all from page 1 to page 3* or clicking on a pagination number the same
>>> error comes and throws an error similar to[1]
>>>
>>> [1]
>>> [2016-07-07 11:34:37,139] WARN - JavaLogger potential cross-site
>>> request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1,
>>> method:POST, uri:/t/tenant.com/carbon/user/view-roles.jsp,
>>> error:required token is missing from the request)
>>>
>>>
>>> Regards,
>>> Shavantha Weerasinghe
>>> Senior Software Engineer QA
>>> WSO2, Inc.
>>> lean.enterprise.middleware.
>>> http://wso2.com
>>> http://wso2.org
>>> Tel : 94 11 214 5345
>>> Fax :94 11 2145300
>>>
>>>
>>> On Wed, Jul 6, 2016 at 4:10 PM, Hasintha Indrajee <[email protected]>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> When trying to perform operations through admin console, once the
>>>> session is expired we are getting a 403 from admin console. Seems like this
>>>> occurs due to CSRF filter blocking the request since the session is no
>>>> longer available at the server side.
>>>>
>>>> [2016-07-06 15:34:27,576] WARN {org.owasp.csrfguard.log.JavaLogger} -
>>>> potential cross-site request forgery (CSRF) attack thwarted
>>>> (user:<anonymous>, ip:127.0.0.1, method:POST,
>>>> uri:/carbon/userprofile/set-finish-ajaxprocessor.jsp, error:request token
>>>> does not match session token)
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453
>>>>
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> [email protected]
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>
>>
>> --
>> Ayoma Wijethunga
>> Software Engineer
>> Platform Security Team
>> WSO2, Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
>> Blog : http://www.ayomaonline.com
>> LinkedIn: https://www.linkedin.com/in/ayoma
>>
>
>
>
> --
> Thanks & Regards,
> Dulanja Liyanage
> Lead, Platform Security Team
> WSO2 Inc.
>
--
Ayoma Wijethunga
Software Engineer
Platform Security Team
WSO2, Inc.; http://wso2.com
lean.enterprise.middleware
Mobile : +94 (0) 719428123 <+94+(0)+719428123>
Blog : http://www.ayomaonline.com
LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
