Hello, 2015-12-15 4:35 GMT+02:00 Baron Fujimoto <ba...@hawaii.edu>: > > On Mon, Dec 14, 2015 at 09:12:20PM +0000, Mark Thomas wrote: > >On 14/12/2015 20:49, Baron Fujimoto wrote: > >> On Fri, Dec 11, 2015 at 05:02:43PM -1000, Baron Fujimoto wrote: > >>> On Sat, Dec 12, 2015 at 12:16:01AM +0000, Mark Thomas wrote: > > > ><snip/> > > > >>> I've confirmed that the problem begins with 8.0.29. > > > >Looking through the changelog it is hard to see how any of the changes > >not in the Catalina section could trigger this. So, focussing on that > >section... > > > >>>> If you can find out how the CSRF protection is adding the token then > >>>> that will also help since it gives an idea of what to look for in the > >>>> changelog. > >>> > >>> I believe it's done using the OWASP CSRFGuard Project, and I have the > >>> property files generated by the Grouper devs that define its > >>> configuration. I'll query the Grouper folks to confirm and see if they > >>> can provide a relevant and succinct explanation about this in particular. > >> > >> The Grouper devs explain, "Javascript sets an HTTP header called > >> OWASP_CSRFTOKEN: on requests (some excluded per properties file)". > > > >That doesn't explain how/where the token is generated or what component > >validates it server side. I'm guessing a Filter does the validation. > > > >> Per the properties file, I believe the following are excluded: > >> > >> org.owasp.csrfguard.unprotected.Default=%servletContext%/ > > > >Hmm. This first one combined with the last entry in the Catalina section > >of the 8.0.29 changelog look like a possibility. > > > >Try each of the following (one at a time, not together) to see if they > >fix it: > > Neither of these, tried independently, appeared to have any effect. > > >a) Add the following (note the lack of trailing slash) to the properties > >file: > > > >org.owasp.csrfguard.unprotected.Upload=%servletContext% > > I tried this as described, but since I wasn't sure if you really meant the > .Default property I also tried that, just in case (separate tests, > performed independently). I tried both by adding the suggested definitions > after their original definitions (in case they superceded them) and by > replacing the original definitions. > > > >b) Set mapperContextRootRedirectEnabled="true" and > >mapperDirectoryRedirectEnabled="true" on the Context in > >$CATALINA_BASE/conf/context.xml > > The resulting $CATALINA_BASE/conf/context.xml was: > > <Context> > <WatchedResource>WEB-INF/web.xml</WatchedResource> > <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> > > mapperContextRootRedirectEnabled="true" > mapperDirectoryRedirectEnabled="true" > </Context>
mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled are attributes of the Context so your context.xml should look like the one below: <Context mapperContextRootRedirectEnabled="true" mapperDirectoryRedirectEnabled="true"> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> </Context> Regards, Violeta > Aloha, > -baron > > >> org.owasp.csrfguard.unprotected.Upload=%servletContext%/upload.html > >> org.owasp.csrfguard.unprotected.JavaScriptServlet=%servletContext%/JavaScriptServlet > >> org.owasp.csrfguard.unprotected.Ajax=%servletContext%/ajax.html > >> org.owasp.csrfguard.unprotected.Error=%servletContext%/error.html > >> org.owasp.csrfguard.unprotected.Index=%servletContext%/index.html > >> org.owasp.csrfguard.unprotected.JavaScript=%servletContext%/javascript.html > >> org.owasp.csrfguard.unprotected.Tag=%servletContext%/tag.jsp > >> org.owasp.csrfguard.unprotected.Redirect=%servletContext%/redirect.jsp > >> org.owasp.csrfguard.unprotected.Forward=%servletContext%/forward.jsp > >> org.owasp.csrfguard.unprotected.Session=%servletContext%/session.jsp > >> > >> CSRFGuard defines the following actions for a detected attack: > >> > >> org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log > >> org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%) > >> org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect > >> org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html > >> org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate > >> > >> Other misc CSRFGuard confs: > >> > >> org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN > >> org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN > >> org.owasp.csrfguard.TokenLength=32 > >> org.owasp.csrfguard.PRNG=SHA1PRNG > >> org.owasp.csrfguard.PRNG.Provider=SUN > >> > >> org.owasp.csrfguard.JavascriptServlet.domainStrict = true > >> org.owasp.csrfguard.JavascriptServlet.cacheControl = private, maxage=28800 > >> org.owasp.csrfguard.JavascriptServlet.refererPattern = .* > >> org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true > >> org.owasp.csrfguard.JavascriptServlet.injectIntoForms = true > >> org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes = true > >> > >> Here is an example of a resulting URL/token that results in the error. > >> > >> < https://foo.example.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=0JO3-QLCE-98Q4-35G2-6ADK-A352-3NNJ-4H5O > > >> > >> Aloha, > >> -baron > > -- > Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum desendus pantorum > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >