[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

Sun, 09 Sep 2018 05:35:21 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608439#comment-16608439
 ] 

Jacques Le Roux commented on OFBIZ-10427:
-----------------------------------------

Hi Girish,

I did not review nor tested yet. It's indeed a way to go.

The others so far being made by Gregory in the security ML. I completly missed 
to put them in [my answer in dev ML|https://s.apache.org/XPhR] with my answers 
to Gregory's suggestion then (3 months ago, on a related subject including 
CSRF). Here they are:
{quote}> So to do that, I recommend to perform a SHA512 of the user's session 
(as it is unpredictable) and then you pass this value in the body request. Then 
the application checks it is okay by hashing the session value and and compare 
with the value that has been passed.
{quote}
That's an idea, I'll get deeper in this. Because I believe Tomcat CSRF filter 
is too limited for our use in OFBiz
{quote}> Maybe through Java Aspect? I don't know if it supported?
{quote}
We don't use Java Aspect (yet). Anyway I'll consider it also beside building 
our own filter.
----
 

I must add that maybe subclassing the Tomcat filter is easier, better, etc. We 
have to compare both solutions and if needed discuss them again in dev ML. 
Since we already began to discuss there, at this stage I think we can start 
here :)

> Add a mean to handle CSRF
> -------------------------
>
>                 Key: OFBIZ-10427
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10427
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: webtools_web.xml.patch
>
>
> I already worked on that in OFBiz but without success so far: 
> https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really 
> not simple in OFBiz)
> * 
> https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction
>  (I think preferred)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to