[jira] [Updated] (OFBIZ-11306) POC for CSRF Token
Locked
[jira] [Updated] (OFBIZ-11306) POC for CSRF Token
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: ------------------------------------ Description: CRSF tokens are generated using SecureRandom class (maybe later a JWT with a "time out"). They are stored in the user sessions, and verified during POST request. # In controllers a new csrf-token attribute is added to the security tag to exempt or force CSRF token check. # In Widget Forms a hidden token field is auto-generated. # In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the change. Using <@ofbizUrl> macro to generate the CSRF token means there is no need to manually add the CSRF token field to each form in the ftl files. It will save time for users doing custom implementation and maintenance. While there is CSRF token in the form URL, the token is invalidated during form submission. So it's uniqueand harmless even though the CSRF token of the form submission is shown in the browser address bar. # For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added through OfbizUtil.js (itself called at start in decorators and such) # The general rule are as follows: * RequestMap configured with 'get' method will be exempted from CSRF token check. * RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check. * "main" request URIs are exempted from CSRF token check. * Setting csrf-token to false or true on the Request Map will override the general rules above. was: CRSF tokens are generated using SecureRandom class. 1) In widget form where a hidden token field is auto-generated. 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field. 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header. CSRF tokens are stored in the user sessions, and verified during POST request. A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check. Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call. > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a "time out"). > They are stored in the user sessions, and verified during POST request. > # In controllers a new csrf-token attribute is added to the security tag to exempt or force CSRF token check. > # In Widget Forms a hidden token field is auto-generated. > # In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the change. Using <@ofbizUrl> macro to generate the CSRF token means there is no need to manually add the CSRF token field to each form in the ftl files. It will save time for users doing custom implementation and maintenance. While there is CSRF token in the form URL, the token is invalidated during form submission. So it's uniqueand harmless even though the CSRF token of the form submission is shown in the browser address bar. > # For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added through OfbizUtil.js (itself called at start in decorators and such) > # The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check. > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the general rules above. -- This message was sent by Atlassian Jira (v8.3.4#803005) |
«
Return to OFBiz - Notifications
|
1 view|%1 views
| Free forum by Nabble | Edit this page |