[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Fri, 24 Jan 2020 04:22:25 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17022899#comment-17022899
 ] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Hi James,

bq. Updated the patch to support path like "entity/relations/{entityName}".
I tested and none of the feature referenced in "We have several issues (at 
least) in Webtools. All work on trunk demo." section work. Same for those at 
"Issues in Entity Data Maintenance related to new REST work at OFBIZ-11007:" 
section

I'll continue the investigation I began on this subject, and will tell you 
informed of advancements...

bq. Also corrected the formatting issue mentioned.
I think it's a misunderstanding. I was not asking for fixing few formatting 
issues but to globally follow the code conventions. Fortunately I have the 
tools to do that quickly and easily. Please find attached the newly created 
files correctly formatted. For the existing ones I'll format them after the 
last commit to avoid mixing formatting and changed code. I noticed there is 
plenty of incorrectly code in those. They will benefit from the effort ;)


Also I expect to create a new patch based on yours. Please refrain to modify 
code for now, in order for us to not collide.

Speak to you...



> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to