[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17044338#comment-17044338
 ] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

Mmm no, after a "gradlew clean" your patch test and "Check/Update Database" 
works. Mine last passes the test but still have a pb w/ "Check/Update Database" 
a weird unrelated(?) one:

{noformat}
2020-02-25 12:06:28,232 |jsse-nio-8443-exec-2 |ExecutionPool                 
|E| null
java.util.concurrent.ExecutionException: java.sql.SQLException: Connection can 
not be used while enlisted in another transaction
        at java.util.concurrent.FutureTask.report(FutureTask.java:122) 
~[?:1.8.0_202]
        at java.util.concurrent.FutureTask.get(FutureTask.java:192) 
~[?:1.8.0_202]
        at 
org.apache.ofbiz.base.concurrent.ExecutionPool.getAllFutures(ExecutionPool.java:84)
 [main/:?]
        at 
org.apache.ofbiz.entity.jdbc.DatabaseUtil.getColumnInfo(DatabaseUtil.java:1165) 
[main/:?]
        at 
org.apache.ofbiz.entity.jdbc.DatabaseUtil.checkDb(DatabaseUtil.java:188) 
[main/:?]
        at org.apache.ofbiz.entity.jdbc.DatabaseUtil$checkDb.call(Unknown 
Source) [main/:?]
        at 
org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47)
 [groovy-2.5.8.jar:2.5.8]
        at 
org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115)
 [groovy-2.5.8.jar:2.5.8]
        at CheckDb.run(CheckDb.groovy:49) [script:?]
{noformat}

Working on it.


> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)