OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008921#comment-17008921 ]

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

bq. I think it is a good practice for CRSF Token check during login. Not sure if it will be easy to set the security csrf token check to false when deploying to demo..
I think we can live with it. Maybe we will find a way later...

The catalog dropdown works now. For the tree clicking on main node works but you can't extend because of

{noformat}
2020-01-06 15:42:49,563 |jsse-nio-8443-exec-6 |ControlServlet                |E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for AJAX call to path '/getChild'
        at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) ~[main/:?]
        at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439) ~[main/:?]
{noformat}

In ecommerce the tree works well, still not the one page checkout.

Too avoid too much iterations here, maybe at some stage we will need to commit and let people report issues where things don't work as expected...

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Free forum by Nabble Edit this page