ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11306) POC for CSRF Token
Date Mon, 06 Jan 2020 14:50:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008921#comment-17008921
] 

Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------

bq. I think it is a good practice for CRSF Token check during login. Not sure if it will be
easy to set the security csrf token check to false when deploying to demo..
I think we can live with it. Maybe we will find a way later...

The catalog dropdown works now. For the tree clicking on main node works but you can't extend
because of

{noformat}
2020-01-06 15:42:49,563 |jsse-nio-8443-exec-6 |ControlServlet                |E| Error in
request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing CSRF token for
AJAX call to path '/getChild'
        at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245) ~[main/:?]
        at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439)
~[main/:?]
{noformat}

In ecommerce the tree works well, still not the one page checkout.

Too avoid too much iterations here, maybe at some stage we will need to commit and let people
report issues where things don't work as expected...

> POC for CSRF Token
> ------------------
>
>                 Key: OFBIZ-11306
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Upcoming Branch
>            Reporter: James Yong
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: CSRF
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
OFBIZ-11306.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token
field. 
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to
X-CSRF-Token in request header. 
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token check during
Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message