[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007961#comment-17007961
]
Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------
Thanks James,
Here are some facts.
First thing I found, you can no longer get directly through login, ie using
URLs like
https://localhost:8443/catalog/control/login?USERNAME=admin&PASSWORD=ofbiz&JavaScriptEnabled=Y
You then get a redirecting screen saying
bq. Invalid or missing CSRF token to path '/login'. Click here to continue.
I'm not sure it's good or bad, just different. Personnaly I'd lke to keep this
feature, it's a moot point.
Then trying to get directly to product screen using the product dropdown
(lookup) I get this error
bq. org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing
CSRF token for AJAX call to path
{noformat}
2020-01-04 09:43:52,455 |jsse-nio-8443-exec-2 |ControlServlet
|E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing
CSRF token for AJAX call to path '/LookupProduct'
at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245)
~[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439)
~[main/:?]
{noformat}
When I change of screen using the UI, I get URLs like
https://localhost:8443/catalog/control/FindCatalog?csrfToken=GFWHa8ErxS4O
https://localhost:8443/catalog/control/FindCategory?csrfToken=leEAMApwS9LH
When actually I still see the same csrf-token in head source
<meta name="csrf-token" content="sV3ulyAfSqak"/>
I'm not sure the csrfToken in URL is an issue. I like the fact that the
csrf-token in head source stays the same. I'm not sure it's the reason why we
can use the backup button, but I know that a csrf-token changing when changing
of screen can be an issue that we want to avoid.
I made a jump to webtools anb back to catalog w/o problems. WHen in webtools
the csrf-token is changed. Actually the csrf-token is proper to each
application which sounds logical to me. Using back and forth buttons continues
to work.
So, apart the lookup issue, so far so good. I'll continue :) ...
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf
> token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token
> to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token
> check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
