Re: [Dev] CSRF issue when doing SSO.

Wed, 30 Nov 2016 01:58:30 -0800 

Hi,

You need to exclude the acs url as below[1] in
"Owasp.CsrfGuard.Carbon.properties" file in
/wso2es-2.1.0/repository/conf/security directory.

[1] - org.owasp.csrfguard.unprotected.ServicesACS=%servletContext%/acs

Thanks!
Rajith

On Wed, Nov 30, 2016 at 12:21 PM, Shakila Sivagnanarajah <[email protected]>
wrote:

> Hi,
>
> I'm trying to configure SSO in wso2es 2.1.0 in our staging environment. I
> configured the SAML2SSOAuthenticator in 
> <ES_HOME>/repository/conf/security/authenticators.xml as
> shown in [1]. I get the exception [2] when I try to login the mgt console.
> The issuer carbonServerSP is configured with the Assertion Consumer
> URL https://<IP>:<PORT>/acs in staging IS.
>
> I tried to prevent from this CSRF by configuring the CSRF Valve as
> mentioned in the documentation [3]. But still experiencing the same. Could
> you please advice me to resolve this?
>
> [1]
>     <Authenticator name="SAML2SSOAuthenticator" disabled="false">
>        <Priority>10</Priority>
>        <Config>
>            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
>            <Parameter name="ServiceProviderID">carbonServerSP</Parameter>
>            <Parameter name="IdentityProviderSSOServiceURL">https://
> <IS_URL>/samlsso</Parameter>
>            <Parameter name="NameIDPolicyFormat">urn:
> oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
>            <Parameter name="IdPCertAlias">wso2carbon</Parameter>
>        </Config>
>     </Authenticator>
>
> [2]
>
> TID: [-1234] [] [2016-11-30 12:09:21,767]  WARN 
> {org.owasp.csrfguard.log.JavaLogger}
> -  potential cross-site request forgery (CSRF) attack thwarted
> (user:<anonymous>, ip:xx.xxx.x.xxx, method:POST, uri:/acs, error:required
> token is missing from the request)
>
> [3] https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+
> Request+Forgery+(CSRF)+Attacks#MitigatingCrossSiteRequestForg
> ery(CSRF)Attacks-MitigatingusingtheCSRFValve
>
> Thank you
>
> --
> Shakila Sivagnanarajah
> Software Engineer
> Mobile :+94 (0) 768 856837 <+94%2076%20885%206837>
> [email protected]
> WSO2, Inc.
> lean . enterprise . middleware
> http://www.wso2.com/
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: +94-72-642-8350 <%2B94-71-554-8430>

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to