Hi folks,
In order to implement CSRF prevention in UUF, we have introduced a cookie
named CSRFTOKEN which gets created when creating an authenticated session.
We have created a helper, {{csrfToken}} helper [1], that can be used to
submit the CSRFTOKEN cookie value as a hidden filed when submitting a form.
If there are form that doesn't require CSRF protection, like the login
form, you can skip skip those request URI's by adding them to the security
config in app.yaml as follows,
*security: csrfIgnoreUris: - /http-form - /file-upload*
Note that you will have to either add the {{csrfToken}} helper or update
the ignore URI's as shown above or the existing forms will fail with the
next UUF release.
Also, the security config section in app.yaml has been changed as follows,
security:
csrfIgnoreUris: []
xssIgnoreUris: []
Basically, we have gotten rid of the previous configuration which had "
*xssPatterns*" and "*xssPatterns*" and introduced the arrays "
*csrfIgnoreUris*" and "*xssIgnoreUris*" [4].
Refer to PR [2] and [3] for more details.
[1] - https://github.com/wso2/carbon-uuf/pull/146
[2] - https://github.com/wso2/carbon-uuf/pull/188
[3] - https://github.com/wso2/carbon-uuf-maven-tools/pull/54
[4] - https://github.com/wso2/carbon-uuf-maven-tools/issues/53
--
Thanks,
Shariq
Associate Technical Lead
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
