Re: [Dev] CSRF issue when doing SSO.

Shakila Sivagnanarajah Thu, 01 Dec 2016 06:37:57 -0800

Thank you Rajith, Adding this property solves this CSRF issue.

On Wed, Nov 30, 2016 at 2:54 PM, Rajith Roshan <raji...@wso2.com> wrote:


> Hi,
>
> You need to exclude the acs url as below[1] in 
> "Owasp.CsrfGuard.Carbon.properties"
> file in /wso2es-2.1.0/repository/conf/security directory.
>
> [1] - org.owasp.csrfguard.unprotected.ServicesACS=%servletContext%/acs
>
> Thanks!
> Rajith
>
> On Wed, Nov 30, 2016 at 12:21 PM, Shakila Sivagnanarajah <shak...@wso2.com
> > wrote:
>
>> Hi,
>>
>> I'm trying to configure SSO in wso2es 2.1.0 in our staging environment. I
>> configured the SAML2SSOAuthenticator in 
>> <ES_HOME>/repository/conf/security/authenticators.xml as
>> shown in [1]. I get the exception [2] when I try to login the mgt console.
>> The issuer carbonServerSP is configured with the Assertion Consumer
>> URL https://<IP>:<PORT>/acs in staging IS.
>>
>> I tried to prevent from this CSRF by configuring the CSRF Valve as
>> mentioned in the documentation [3]. But still experiencing the same. Could
>> you please advice me to resolve this?
>>
>> [1]
>>     <Authenticator name="SAML2SSOAuthenticator" disabled="false">
>>        <Priority>10</Priority>
>>        <Config>
>>            <Parameter name="LoginPage">/carbon/admin
>> /login.jsp</Parameter>
>>            <Parameter name="ServiceProviderID">carbonServerSP</Parameter>
>>            <Parameter name="IdentityProviderSSOServiceURL">https://
>> <IS_URL>/samlsso</Parameter>
>>            <Parameter name="NameIDPolicyFormat">urn:
>> oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>
>>            <Parameter name="IdPCertAlias">wso2carbon</Parameter>
>>        </Config>
>>     </Authenticator>
>>
>> [2]
>>
>> TID: [-1234] [] [2016-11-30 12:09:21,767]  WARN
>> {org.owasp.csrfguard.log.JavaLogger} -  potential cross-site request
>> forgery (CSRF) attack thwarted (user:<anonymous>, ip:xx.xxx.x.xxx,
>> method:POST, uri:/acs, error:required token is missing from the request)
>>
>> [3] https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+Re
>> quest+Forgery+(CSRF)+Attacks#MitigatingCrossSiteRequestForge
>> ry(CSRF)Attacks-MitigatingusingtheCSRFValve
>>
>> Thank you
>>
>> --
>> Shakila Sivagnanarajah
>> Software Engineer
>> Mobile :+94 (0) 768 856837 <+94%2076%20885%206837>
>> shak...@wso2.com
>> WSO2, Inc.
>> lean . enterprise . middleware
>> http://www.wso2.com/
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rajith Roshan
> Software Engineer, WSO2 Inc.
> Mobile: +94-72-642-8350 <%2B94-71-554-8430>
>



-- 
Shakila Sivagnanarajah
Software Engineer
Mobile :+94 (0) 768 856837
shak...@wso2.com
WSO2, Inc.
lean . enterprise . middleware
http://www.wso2.com/

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] CSRF issue when doing SSO.

Reply via email to