[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Wed, 18 Dec 2019 18:59:11 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16999695#comment-16999695
 ] 

James Yong commented on OFBIZ-11306:
------------------------------------

Hi all,

I have updated the patch to version 2.
<@csrfTokenField> macro is removed.
The general rule as follows:
1) RequestMap configured with 'get' method will be exempted from CSRF token 
check.
2) RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
3) Request uri starting "Lookup" or equals "main" is also exempted from CSRF 
token check.
Setting csrf-token to false or true on the Request Map will override the 
general rules above.

Hi Samuel,

q1: The values used was taken from the given page. You can do a find-in-page 
function. Using standard library is possible. Will look into it soon.

q2: In version 2, the map is used to store uri / token pair.

q3: Thanks for the finding. Changed to checking the RequestMap instead of 
request methods.

Hi Jacques,

I am using Intellij IDE. Checked out the project using the SVN link. 


> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to