OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007971#comment-17007971 ]

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

h6. ecommerce

Trying the one page checkout, at the shipping options section I get
{noformat}
2020-01-04 11:25:58,198 |jsse-nio-8443-exec-4 |ControlServlet                |E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for AJAX call to path '/getAssociatedStateList'
        at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) ~[main/:?]
        at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439) ~[main/:?]
{noformat}
and a lot of errors following, notably (I guess there are errors before this one)
{noformat}
2020-01-04 11:28:23,239 |jsse-nio-8443-exec-6 |ControlServlet                |E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for AJAX call to path '/getShipOptions'
        at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) ~[main/:?]
        at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439) ~[main/:?]
{noformat}

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page