[jira] [Commented] (OFBIZ-11306) POC for CSRF Token

Mon, 06 Jan 2020 06:50:36 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008921#comment-17008921
 ] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

bq. I think it is a good practice for CRSF Token check during login. Not sure 
if it will be easy to set the security csrf token check to false when deploying 
to demo..
I think we can live with it. Maybe we will find a way later...

The catalog dropdown works now. For the tree clicking on main node works but 
you can't extend because of

{noformat}
2020-01-06 15:42:49,563 |jsse-nio-8443-exec-6 |ControlServlet                
|E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing 
CSRF token for AJAX call to path '/getChild'
        at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) 
~[main/:?]
        at 
org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439)
 ~[main/:?]
{noformat}

In ecommerce the tree works well, still not the one page checkout.

Too avoid too much iterations here, maybe at some stage we will need to commit 
and let people report issues where things don't work as expected...

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, 
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf 
> token field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token 
> to X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF 
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token 
> check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to