[jira] [Updated] (OFBIZ-11470) Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235)
[ https://issues.apache.org/jira/browse/OFBIZ-11470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11470: Summary: Ensure that the SameSite attribute is set to 'strict' for all cookies. (CVE-2019-0235) (was: Ensure that the SameSite attribute is set to 'strict' for all cookies.) > Ensure that the SameSite attribute is set to 'strict' for all cookies. > (CVE-2019-0235) > -- > > Key: OFBIZ-11470 > URL: https://issues.apache.org/jira/browse/OFBIZ-11470 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.02 > > > As reported by OWASP ZAP: > bq. A cookie has been set without the SameSite attribute, which means that > the cookie can be sent as a result of a 'cross-site' request. The SameSite > attribute is an effective counter measure to cross-site request forgery, > cross-site script inclusion, and timing attacks. > The solution was not obvious in OFBiz for 2 reasons: > # There is no HttpServletResponse::setHeader. So we need to use a filter > (SameSiteFilter) and even that is not enough because of 2: > # To prevent session fixation we force Tomcat to generates a new jsessionId, > ultimately put in cookie, in LoginWorker::login. So we need to add a call to > SameSiteFilter::addSameSiteCookieAttribute in > UtilHttp::setResponseBrowserDefaultSecurityHeaders. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-10427) Add a mean to handle CSRF (CVE-2019-0235)
[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10427: Summary: Add a mean to handle CSRF (CVE-2019-0235) (was: Add a mean to handle CSRF (CVE-2019-12425)) > Add a mean to handle CSRF (CVE-2019-0235) > - > > Key: OFBIZ-10427 > URL: https://issues.apache.org/jira/browse/OFBIZ-10427 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Attachments: webtools_web.xml.patch > > > I already worked on that in OFBiz but without success so far: > https://markmail.org/message/r245yie623cdo3wz) > The tracks I explored are: > * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really > not simple in OFBiz) > * > https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction > (I think preferred) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11306) POC for CSRF Token (CVE-2019-0235)
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: Summary: POC for CSRF Token (CVE-2019-0235) (was: POC for CSRF Token (CVE-2019-12425)) > POC for CSRF Token (CVE-2019-0235) > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, > OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative > merged with James's.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > partyTokenMap.webtools.txt > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's unique and harmless even though the CSRF token of the > form submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11416) Manufacturing Docbook help file migration to asciidoc format
[ https://issues.apache.org/jira/browse/OFBIZ-11416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-11416: --- Parent: OFBIZ-11587 Issue Type: Sub-task (was: Improvement) > Manufacturing Docbook help file migration to asciidoc format > > > Key: OFBIZ-11416 > URL: https://issues.apache.org/jira/browse/OFBIZ-11416 > Project: OFBiz > Issue Type: Sub-task > Components: manufacturing >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > > Migrate all Help files in docbook format to asciidoc format and include them > in a global manufacturing.adoc document. > manufacturing.adoc follow the template describe in Example structure for > adoc files in the wiki > https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Documentation+Team -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11577) Marketink Docbook help file migration to asciidoc format
[ https://issues.apache.org/jira/browse/OFBIZ-11577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-11577: --- Parent: OFBIZ-11587 Issue Type: Sub-task (was: Improvement) > Marketink Docbook help file migration to asciidoc format > > > Key: OFBIZ-11577 > URL: https://issues.apache.org/jira/browse/OFBIZ-11577 > Project: OFBiz > Issue Type: Sub-task > Components: marketing >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > Time Spent: 10m > Remaining Estimate: 0h > > Migrate all Help files in docbook format to asciidoc format and include them > in a global marketing.adoc document. > marketing.adoc follow the template describe in Example structure for adoc > files in the wiki > [https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Documentation+Team] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11581) Party Docbook help file migration to asciidoc format
[ https://issues.apache.org/jira/browse/OFBIZ-11581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-11581: --- Summary: Party Docbook help file migration to asciidoc format (was: Order Docbook help file migration to asciidoc format) > Party Docbook help file migration to asciidoc format > > > Key: OFBIZ-11581 > URL: https://issues.apache.org/jira/browse/OFBIZ-11581 > Project: OFBiz > Issue Type: Improvement > Components: party >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > Time Spent: 20m > Remaining Estimate: 0h > > Migrate all Help files in docbook format to asciidoc format and include them > in a global party.adoc document. > party.adoc follow the template describe in Example structure for adoc files > in the wiki > [https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Documentation+Team] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11581) Party Docbook help file migration to asciidoc format
[ https://issues.apache.org/jira/browse/OFBIZ-11581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-11581: --- Parent: OFBIZ-11587 Issue Type: Sub-task (was: Improvement) > Party Docbook help file migration to asciidoc format > > > Key: OFBIZ-11581 > URL: https://issues.apache.org/jira/browse/OFBIZ-11581 > Project: OFBiz > Issue Type: Sub-task > Components: party >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > Time Spent: 20m > Remaining Estimate: 0h > > Migrate all Help files in docbook format to asciidoc format and include them > in a global party.adoc document. > party.adoc follow the template describe in Example structure for adoc files > in the wiki > [https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Documentation+Team] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11580) Order Docbook help file migration to asciidoc format
[ https://issues.apache.org/jira/browse/OFBIZ-11580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-11580: --- Parent: OFBIZ-11587 Issue Type: Sub-task (was: Improvement) > Order Docbook help file migration to asciidoc format > > > Key: OFBIZ-11580 > URL: https://issues.apache.org/jira/browse/OFBIZ-11580 > Project: OFBiz > Issue Type: Sub-task > Components: order >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > > Migrate all Help files in docbook format to asciidoc format and include them > in a global order.adoc document. > order.adoc follow the template describe in Example structure for adoc files > in the wiki > [https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Documentation+Team] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11587) Migration all docbook file to asciidoc
[ https://issues.apache.org/jira/browse/OFBIZ-11587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17076478#comment-17076478 ] Olivier Heintz commented on OFBIZ-11587: PR#65 contain all new asciidoc files, one commit per component or sub-component PR#66 contain all delete related docbook files, one commit per component or sub-component This two PR will be update after each new component migration. Currently contain : manufacturing, marketing, party, order > Migration all docbook file to asciidoc > -- > > Key: OFBIZ-11587 > URL: https://issues.apache.org/jira/browse/OFBIZ-11587 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, ALL PLUGINS >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Minor > Labels: documentation > Time Spent: 20m > Remaining Estimate: 0h > > Umbrella task, for all components migration tasks. > Idea is to have only one branch/PR for all tasks, with one commit per > component / sub-component migration, it will be more easy to merge it when it > will be finish -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on issue #66: OFBIZ-11587 docbook to asciidoc, delete docbook files
sonarcloud[bot] commented on issue #66: OFBIZ-11587 docbook to asciidoc, delete docbook files URL: https://github.com/apache/ofbiz-framework/pull/66#issuecomment-609922695 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=VULNERABILITY) (and [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=SECURITY_HOTSPOT) to review) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=66=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=66) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=66=duplicated_lines_density=list) No Duplication information This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz opened a new pull request #66: OFBIZ-11587 docbook to asciidoc, delete docbook files
Olivier-Heintz opened a new pull request #66: OFBIZ-11587 docbook to asciidoc, delete docbook files URL: https://github.com/apache/ofbiz-framework/pull/66 This PR is related to PR#65 Migration docbook files to asciidoc It contain all delete related files. It should be merge only when the new OFBiz help system working with asciidoc files is available This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz closed pull request #39: OFBiz-11416 manufacturing docbook migration
Olivier-Heintz closed pull request #39: OFBiz-11416 manufacturing docbook migration URL: https://github.com/apache/ofbiz-framework/pull/39 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz closed pull request #59: OFBIZ-11577 marketing docbook migration
Olivier-Heintz closed pull request #59: OFBIZ-11577 marketing docbook migration URL: https://github.com/apache/ofbiz-framework/pull/59 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz closed pull request #62: OFBiz-11580 order docbook migration
Olivier-Heintz closed pull request #62: OFBiz-11580 order docbook migration URL: https://github.com/apache/ofbiz-framework/pull/62 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz closed pull request #63: OFBIZ-11581 party docbook migration
Olivier-Heintz closed pull request #63: OFBIZ-11581 party docbook migration URL: https://github.com/apache/ofbiz-framework/pull/63 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on issue #65: OFBIZ-11587 docbook to asciidoc
sonarcloud[bot] commented on issue #65: OFBIZ-11587 docbook to asciidoc URL: https://github.com/apache/ofbiz-framework/pull/65#issuecomment-609916214 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=VULNERABILITY) (and [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=SECURITY_HOTSPOT) to review) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=65=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=65) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=65=duplicated_lines_density=list) No Duplication information This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [ofbiz-framework] Olivier-Heintz opened a new pull request #65: OFBIZ-11587 docbook to asciidoc
Olivier-Heintz opened a new pull request #65: OFBIZ-11587 docbook to asciidoc URL: https://github.com/apache/ofbiz-framework/pull/65 This PR replace all PR for component migration for docbook files to asciidoc files These PR will be delete : - PR#63 Party - PR#62 Order - PR#59 Marketing - PR#39 Manufacturing And in this PR there are only new ascidoc files, an other PR will have all delete This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Created] (OFBIZ-11587) Migration all docbook file to asciidoc
Olivier Heintz created OFBIZ-11587: -- Summary: Migration all docbook file to asciidoc Key: OFBIZ-11587 URL: https://issues.apache.org/jira/browse/OFBIZ-11587 Project: OFBiz Issue Type: Improvement Components: ALL COMPONENTS, ALL PLUGINS Affects Versions: Trunk Reporter: Olivier Heintz Assignee: Olivier Heintz Umbrella task, for all components migration tasks. Idea is to have only one branch/PR for all tasks, with one commit per component / sub-component migration, it will be more easy to merge it when it will be finish -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token (CVE-2019-12425)
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17076205#comment-17076205 ] ASF subversion and git services commented on OFBIZ-11306: - Commit 5c534a9f9824c5bac1c8312a8d50063ca8b5e766 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=5c534a9 ] Fixed: POC for CSRF Token (OFBIZ-11306) Fixes missing default NoCsrfDefenseStrategy in Header.ftl files > POC for CSRF Token (CVE-2019-12425) > --- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative merged with James's.patch, > OFBIZ-11306-alternative merged with James's.patch, OFBIZ-11306-alternative > merged with James's.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > partyTokenMap.webtools.txt > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's unique and harmless even though the CSRF token of the > form submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)
