James Yong created OFBIZ-11306:
----------------------------------
Summary: POC for CSRF Token
Key: OFBIZ-11306
URL:
https://issues.apache.org/jira/browse/OFBIZ-11306 Project: OFBiz
Issue Type: Improvement
Components: ALL APPLICATIONS
Affects Versions: Upcoming Branch
Reporter: James Yong
Assignee: James Yong
Fix For: Upcoming Branch
CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
CSRF tokens are stored in the user sessions, and verified during POST request.
A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
