[jira] [Updated] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Summary: POC for CSRF Token (CVE-2019-0235)  (was: POC for CSRF Token 
(CVE-2019-12425))

> POC for CSRF Token (CVE-2019-0235)
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative 
> merged with James's.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's unique and harmless even though the CSRF token of the 
> form submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token (CVE-2019-12425)

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Summary: POC for CSRF Token (CVE-2019-12425)  (was: POC for CSRF Token)

> POC for CSRF Token (CVE-2019-12425)
> ---
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative 
> merged with James's.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's unique and harmless even though the CSRF token of the 
> form submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's unique and harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.


  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.



> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative merged with James's.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative 
> merged with James's.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative merged with James's.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative merged with James's.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.


  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To implement:
* -Allow token map size to be configurable in properties.- OK that's done 
locally

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.



> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>   

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: partyTokenMap.webtools.txt

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Parent: OFBIZ-1525
Issue Type: Sub-task  (was: Improvement)

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, 
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306-alternative.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-v2.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token 
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs 
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check. (Note there are discussions that RequestMap with ‘all’ method 
> should also not be subjected to CSRF token check. This will be done after 
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done 
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside 
> the constructor of RequestMap class) when determining the final 
> securityCsrfToken value.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To implement:
* -Allow token map size to be configurable in properties.- OK that's done 
locally

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.


  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To implement:
* Allow token map size to be configurable in properties.

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.



> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
> 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

To implement:
* Allow token map size to be configurable in properties.

To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Configure the general rules in a Service method (which will be run inside the 
constructor of RequestMap class) when determining the final securityCsrfToken 
value.


  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

# To implement:
* Allow token map size to be configurable in properties.

# To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Config the general rules in a Service method which will be used when 
determining the actual securityCsrfToken value in constructor of RequestMap 
class.



> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check. (Note there are discussions that RequestMap with ‘all’ method 
should also not be subjected to CSRF token check. This will be done after 
ensuring a separate uri is used when posting changes.)
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

# To implement:
* Allow token map size to be configurable in properties.

# To Discuss:
* Invalidate authenticated user session when CSRF token check fails.
* Config the general rules in a Service method which will be used when 
determining the actual securityCsrfToken value in constructor of RequestMap 
class.


  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed
# Csrf tokens for the user are removed from the UtilCache when the user logs 
out or session invalidated.

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP 
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during 
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)
# The html metadata is storing the csrf token used by JQuery AJAX. This token 
will not change to another value after it is consumed

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions, and verified during POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In *controllers* a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In *Widget Forms* a hidden token field is auto-generated.
# In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

  was:
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In controllers a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In Widget Forms a hidden token field is auto-generated.
# In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions, and verified during POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The general rule are as 

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
"time out"). 
They are stored in the user sessions, and verified during POST request.

# In controllers a new csrf-token attribute is added to the security tag to 
exempt or force CSRF token check. 
# In Widget Forms a hidden token field is auto-generated.
# In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the 
change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
need to manually add the CSRF token field to each form in the ftl files. It 
will save time for users doing custom implementation and maintenance.  While 
there is CSRF token in the form URL, the token is invalidated during form 
submission. So it's uniqueand harmless even though the CSRF token of the form 
submission is shown in the browser address bar.
# For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added 
through OfbizUtil.js (itself called at start in decorators and such)

# The general rule are as follows:
* RequestMap configured with 'get' method will be exempted from CSRF token 
check.
* RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
token check.
* "main" request URIs are exempted from CSRF token check.
* Setting csrf-token to false or true on the Request Map will override the 
general rules above.

  was:
CRSF tokens are generated using SecureRandom class.
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
token field. 
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to 
X-CSRF-Token in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check 
during Ajax POST call. 


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a 
> "time out"). 
> They are stored in the user sessions, and verified during POST request.
> # In controllers a new csrf-token attribute is added to the security tag to 
> exempt or force CSRF token check. 
> # In Widget Forms a hidden token field is auto-generated.
> # In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the 
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no 
> need to manually add the CSRF token field to each form in the ftl files. It 
> will save time for users doing custom implementation and maintenance.  While 
> there is CSRF token in the form URL, the token is invalidated during form 
> submission. So it's uniqueand harmless even though the CSRF token of the form 
> submission is shown in the browser address bar.
> # For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added 
> through OfbizUtil.js (itself called at start in decorators and such)
> # The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token 
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF 
> token check.
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the 
> general rules above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: CsrfTokenTransform.java
CsrfTokenAjaxTransform.java
CsrfUtil.java

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, 
> CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Description: 
CRSF tokens are generated using SecureRandom class.
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
token field. 
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to 
X-CSRF-Token in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check 
during Ajax POST call. 

  was:
CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
token field. 
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to 
X-CSRF-Token in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check 
during Ajax POST call. 


> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class.
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch
OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch
OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch
OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch
OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306_Plugins.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: (was: OFBIZ-11306.patch)

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: (was: OFBIZ-11306.patch)

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306-v2.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: (was: OFBIZ-11306.patch)

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[Jacques Le Roux (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-11306:

Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (OFBIZ-11306) POC for CSRF Token

[James Yong (Jira)]

 [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Yong updated OFBIZ-11306:
---
Attachment: OFBIZ-11306.patch

> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
>  Issue Type: Improvement
>  Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: James Yong
>Priority: Minor
>  Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)