[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16991403#comment-16991403 ]
Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------
Hi James,
Finally it also works here with patch in Git-Bash on trunk HEAD:
{noformat}
Jacques@LDLC MINGW64 /c/projectsASF/Git/ofbiz-framework (trunk)
$ patch -p0 < OFBIZ-11306.patch
patching file applications/humanres/template/FindEmployee.ftl
patching file applications/product/template/price/SetPriceRulesCondEventJs.ftl
patching file build.gradle
patching file framework/base/src/main/java/org/apache/ofbiz/base/util/CsrfTokenUtil.java
patching file framework/common/webcommon/WEB-INF/common-controller.xml
patching file framework/webapp/dtd/site-conf.xsd
patching file framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ConfigXMLReader.java
patching file framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
patching file framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/CsrfTokenAjaxTransform.java
patching file framework/webapp/src/main/java/org/apache/ofbiz/webapp/ftl/CsrfTokenFieldTransform.java
patching file framework/webapp/src/main/resources/org/apache/ofbiz/webapp/freemarkerTransforms.properties
patching file framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
patching file themes/common-theme/template/includes/SetDependentDropdownValuesJs.ftl
patching file themes/common-theme/template/macro/CsvFormMacroLibrary.ftl
patching file themes/common-theme/template/macro/FoFormMacroLibrary.ftl
patching file themes/common-theme/template/macro/HtmlFormMacroLibrary.ftl
patching file themes/common-theme/template/macro/TextFormMacroLibrary.ftl
patching file themes/common-theme/template/macro/XlsFormMacroLibrary.ftl
patching file themes/common-theme/template/macro/XmlFormMacroLibrary.ftl
patching file themes/common-theme/webapp/common/js/util/miscAjaxFunctions.js
patching file themes/rainbowstone/template/Login.ftl
Jacques@LDLC MINGW64 /c/projectsASF/Git/ofbiz-framework (trunk)
{noformat}
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11306> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
