Thank you Rajith, Adding this property solves this CSRF issue. On Wed, Nov 30, 2016 at 2:54 PM, Rajith Roshan <raji...@wso2.com> wrote:
> Hi, > > You need to exclude the acs url as below[1] in > "Owasp.CsrfGuard.Carbon.properties" > file in /wso2es-2.1.0/repository/conf/security directory. > > [1] - org.owasp.csrfguard.unprotected.ServicesACS=%servletContext%/acs > > Thanks! > Rajith > > On Wed, Nov 30, 2016 at 12:21 PM, Shakila Sivagnanarajah <shak...@wso2.com > > wrote: > >> Hi, >> >> I'm trying to configure SSO in wso2es 2.1.0 in our staging environment. I >> configured the SAML2SSOAuthenticator in >> <ES_HOME>/repository/conf/security/authenticators.xml as >> shown in [1]. I get the exception [2] when I try to login the mgt console. >> The issuer carbonServerSP is configured with the Assertion Consumer >> URL https://<IP>:<PORT>/acs in staging IS. >> >> I tried to prevent from this CSRF by configuring the CSRF Valve as >> mentioned in the documentation [3]. But still experiencing the same. Could >> you please advice me to resolve this? >> >> [1] >> <Authenticator name="SAML2SSOAuthenticator" disabled="false"> >> <Priority>10</Priority> >> <Config> >> <Parameter name="LoginPage">/carbon/admin >> /login.jsp</Parameter> >> <Parameter name="ServiceProviderID">carbonServerSP</Parameter> >> <Parameter name="IdentityProviderSSOServiceURL">https:// >> <IS_URL>/samlsso</Parameter> >> <Parameter name="NameIDPolicyFormat">urn: >> oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter> >> <Parameter name="IdPCertAlias">wso2carbon</Parameter> >> </Config> >> </Authenticator> >> >> [2] >> >> TID: [-1234] [] [2016-11-30 12:09:21,767] WARN >> {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request >> forgery (CSRF) attack thwarted (user:<anonymous>, ip:xx.xxx.x.xxx, >> method:POST, uri:/acs, error:required token is missing from the request) >> >> [3] https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+Re >> quest+Forgery+(CSRF)+Attacks#MitigatingCrossSiteRequestForge >> ry(CSRF)Attacks-MitigatingusingtheCSRFValve >> >> Thank you >> >> -- >> Shakila Sivagnanarajah >> Software Engineer >> Mobile :+94 (0) 768 856837 <+94%2076%20885%206837> >> shak...@wso2.com >> WSO2, Inc. >> lean . enterprise . middleware >> http://www.wso2.com/ >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Rajith Roshan > Software Engineer, WSO2 Inc. > Mobile: +94-72-642-8350 <%2B94-71-554-8430> > -- Shakila Sivagnanarajah Software Engineer Mobile :+94 (0) 768 856837 shak...@wso2.com WSO2, Inc. lean . enterprise . middleware http://www.wso2.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev