[jira] [Comment Edited] (PLUTO-768) Introduce CSRF protection for the ACTION_PHASE via Spring Security

Fri, 05 Apr 2019 15:24:23 -0700 


    [ 
https://issues.apache.org/jira/browse/PLUTO-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16810005#comment-16810005
 ] 

Neil Griffin edited comment on PLUTO-768 at 4/5/19 10:23 PM:
-------------------------------------------------------------

Fixed in commits  
[c4fe79759f189de8694a9369743ef44d9aee07ec|https://github.com/apache/portals-pluto/commit/c4fe79759f189de8694a9369743ef44d9aee07ec]
 and 
[a4d186c6c4081929975926e63351b303f60bec9f|https://github.com/apache/portals-pluto/commit/a4d186c6c4081929975926e63351b303f60bec9f]


was (Author: ngriffin7a):
Fixed in commit  
[c4fe79759f189de8694a9369743ef44d9aee07ec|https://github.com/apache/portals-pluto/commit/c4fe79759f189de8694a9369743ef44d9aee07ec]

> Introduce CSRF protection for the ACTION_PHASE via Spring Security
> ------------------------------------------------------------------
>
>                 Key: PLUTO-768
>                 URL: https://issues.apache.org/jira/browse/PLUTO-768
>             Project: Pluto
>          Issue Type: New Feature
>          Components: portal driver, portlet container
>            Reporter: Neil Griffin
>            Assignee: Neil Griffin
>            Priority: Major
>             Fix For: 3.0.2
>
>
> This feature will add Cross-Site Request Forgery 
> [CSRF|https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)] 
> protection for the {{ACTION_PHASE}} of the portlet lifecycle via Spring 
> Security.
> Specifically, it will ensure that the Spring Security {{_csrf}} parameter is 
> added to every {{javax.portlet.ActionURL}} generated by Pluto's portlet 
> container. It will also utilize the "springSecurityFilterChain" in order to 
> verify that the value of the {{_csrf}} parameter is the correct value before 
> invoking the {{ACTION_PHASE}} of the portlet lifecycle. This works for normal 
> ActionURLs as well as Portlet Hub "Ajax" ActionURLs and "Partial" ActionURLs.
> This feature does *not* secure any other phases of the portlet lifecycle 
> (such as the {{RESOURCE_PHASE}}). It is important to note that if a portlet 
> developer uses an XmlHttpRequest (XHR) to submit a form via HTTP POST with a 
> {{javax.portlet.ResourceURL}}, then it is still incumbent upon the portlet 
> developer to leverage some kind of CSRF protection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to