[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033463#comment-17033463 ]
Jacques Le Roux commented on OFBIZ-11306: ----------------------------------------- I get this in log, wich seems better than before: {noformat} 2020-02-10 10:31:07,178 |jsse-nio-8443-exec-1 |CsrfUtil |E| Cannot find the corresponding request map for path: /entity/edit/Agreement/8000 2020-02-10 10:31:07,475 |jsse-nio-8443-exec-1 |ControlServlet |T| [[[webtools::entity (Domain:https://localhost)] Request Done- total:1.921,since last([webtools::entity...):1.921]] 2020-02-10 10:31:09,980 |jsse-nio-8443-exec-4 |ControlServlet |T| [[[webtools::entity (Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] 2020-02-10 10:31:10,020 |jsse-nio-8443-exec-4 |UtilProperties |I| ResourceBundle WebappUiLabels (en) created in 0.04s with 27 properties 2020-02-10 10:31:10,020 |jsse-nio-8443-exec-4 |ControlServlet |E| [entity] cannot be called by [POST] method. 2020-02-10 10:31:10,020 |jsse-nio-8443-exec-4 |ControlServlet |T| [[[webtools::entity (Domain:https://localhost)] Request Done- total:0.04,since last([webtools::entity...):0.04]] 2020-02-10 10:31:15,963 |jsse-nio-8443-exec-3 |ControlServlet |T| [[[webtools::entity (Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] 2020-02-10 10:31:16,013 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.0s, 0 requests, 0 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/handlers-controller.xml 2020-02-10 10:31:16,013 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.02s, 49 requests, 21 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/common-controller.xml 2020-02-10 10:31:16,023 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.0s, 26 requests, 10 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/portal-controller.xml 2020-02-10 10:31:16,043 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.0s, 30 requests, 13 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/security-controller.xml 2020-02-10 10:31:16,053 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.0s, 5 requests, 0 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/tempexpr-controller.xml 2020-02-10 10:31:16,063 |jsse-nio-8443-exec-3 |ConfigXMLReader |I| controller loaded: 0.09s, 121 requests, 79 views in file:/C:/projectsASF/Git/ofbiz-framework/framework/webtools/webapp/webtools/WEB-INF/controller.xml 2020-02-10 10:31:16,066 |jsse-nio-8443-exec-3 |ControlServlet |I| Going to external page: /entity/edit/Agreement/8000 2020-02-10 10:31:16,066 |jsse-nio-8443-exec-3 |ControlServlet |E| An error occurred, going to the errorPage: file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/error/Error.ftl 2020-02-10 10:31:16,077 |jsse-nio-8443-exec-3 |ControlServlet |T| [[[webtools::entity (Domain:https://localhost)] Request Done- total:0.114,since last([webtools::entity...):0.114]] {noformat} > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's uniqueand harmless even though the CSRF token of the form > submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To implement: > * -Allow token map size to be configurable in properties.- OK that's done > locally > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)