[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Locked
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007961#comment-17007961 ] Jacques Le Roux commented on OFBIZ-11306: ----------------------------------------- Thanks James, Here are some facts. First thing I found, you can no longer get directly through login, ie using URLs like https://localhost:8443/catalog/control/login?USERNAME=admin&PASSWORD=ofbiz&JavaScriptEnabled=Y You then get a redirecting screen saying bq. Invalid or missing CSRF token to path '/login'. Click here to continue. I'm not sure it's good or bad, just different. Personnaly I'd lke to keep this feature, it's a moot point. Then trying to get directly to product screen using the product dropdown (lookup) I get this error bq. org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for AJAX call to path {noformat} 2020-01-04 09:43:52,455 |jsse-nio-8443-exec-2 |ControlServlet |E| Error in request handler: org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for AJAX call to path '/LookupProduct' at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) ~[main/:?] at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439) ~[main/:?] {noformat} When I change of screen using the UI, I get URLs like https://localhost:8443/catalog/control/FindCatalog?csrfToken=GFWHa8ErxS4O https://localhost:8443/catalog/control/FindCategory?csrfToken=leEAMApwS9LH When actually I still see the same csrf-token in head source <meta name="csrf-token" content="sV3ulyAfSqak"/> I'm not sure the csrfToken in URL is an issue. I like the fact that the csrf-token in head source stays the same. I'm not sure it's the reason why we can use the backup button, but I know that a csrf-token changing when changing of screen can be an issue that we want to avoid. I made a jump to webtools anb back to catalog w/o problems. WHen in webtools the csrf-token is changed. Actually the csrf-token is proper to each application which sounds logical to me. Using back and forth buttons continues to work. So, apart the lookup issue, so far so good. I'll continue :) ... > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005) |
«
Return to OFBiz - Notifications
|
1 view|%1 views
| Free forum by Nabble | Edit this page |