From notifications-return-30024-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Mon Jan 27 04:00:18 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0107E18065C for ; Mon, 27 Jan 2020 05:00:17 +0100 (CET) Received: (qmail 73138 invoked by uid 500); 27 Jan 2020 04:00:17 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 73120 invoked by uid 99); 27 Jan 2020 04:00:17 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jan 2020 04:00:17 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6DC0DE0DDB for ; Mon, 27 Jan 2020 04:00:16 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 3A032780596 for ; Mon, 27 Jan 2020 04:00:15 +0000 (UTC) Date: Mon, 27 Jan 2020 04:00:15 +0000 (UTC) From: "James Yong (Jira)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (OFBIZ-11306) POC for CSRF Token MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] James Yong updated OFBIZ-11306: ------------------------------- Description:=20 CRSF tokens are generated using SecureRandom class (maybe later a JWT with = a "time out").=20 They are stored in the user sessions (for AJAX calls and unauthenticated HT= TP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified d= uring POST request. # In *controllers* a new csrf-token attribute is added to the security tag = to exempt or force CSRF token check.=20 # In *Widget Forms* a hidden token field is auto-generated. # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise th= e change. Using <@ofbizUrl> macro to generate the CSRF token means there is= no need to manually add the CSRF token field to each form in the ftl files= . It will save time for users doing custom implementation and maintenance. = While there is CSRF token in the form URL, the token is invalidated during= form submission. So it's uniqueand harmless even though the CSRF token of = the form submission is shown in the browser address bar. # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is add= ed through OfbizUtil.js (itself called at start in decorators and such) # The html metadata is storing the csrf token used by JQuery AJAX. This tok= en will not change to another value after it is consumed # Csrf tokens for the user are removed from the UtilCache when the user log= s out or session invalidated. The general rule are as follows: * RequestMap configured with 'get' method will be exempted from CSRF token = check. * RequestMap configured with 'post' or 'all' method will be subjected to CS= RF token check. (Note there are discussions that RequestMap with =E2=80=98a= ll=E2=80=99 method should also not be subjected to CSRF token check. This w= ill be done after ensuring a separate uri is used when posting changes.) * "main" request URIs are exempted from CSRF token check. * Setting csrf-token to false or true on the Request Map will override the = general rules above. To implement: * Allow token map size to be configurable in properties. To Discuss: * Invalidate authenticated user session when CSRF token check fails. * Configure the general rules in a Service method (which will be run inside= the constructor of RequestMap class) when determining the final securityCs= rfToken value. was: CRSF tokens are generated using SecureRandom class (maybe later a JWT with = a "time out").=20 They are stored in the user sessions (for AJAX calls and unauthenticated HT= TP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified d= uring POST request. # In *controllers* a new csrf-token attribute is added to the security tag = to exempt or force CSRF token check.=20 # In *Widget Forms* a hidden token field is auto-generated. # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise th= e change. Using <@ofbizUrl> macro to generate the CSRF token means there is= no need to manually add the CSRF token field to each form in the ftl files= . It will save time for users doing custom implementation and maintenance. = While there is CSRF token in the form URL, the token is invalidated during= form submission. So it's uniqueand harmless even though the CSRF token of = the form submission is shown in the browser address bar. # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is add= ed through OfbizUtil.js (itself called at start in decorators and such) # The html metadata is storing the csrf token used by JQuery AJAX. This tok= en will not change to another value after it is consumed # Csrf tokens for the user are removed from the UtilCache when the user log= s out or session invalidated. # The general rule are as follows: * RequestMap configured with 'get' method will be exempted from CSRF token = check. * RequestMap configured with 'post' or 'all' method will be subjected to CS= RF token check. (Note there are discussions that RequestMap with =E2=80=98a= ll=E2=80=99 method should also not be subjected to CSRF token check. This w= ill be done after ensuring a separate uri is used when posting changes.) * "main" request URIs are exempted from CSRF token check. * Setting csrf-token to false or true on the Request Map will override the = general rules above. # To implement: * Allow token map size to be configurable in properties. # To Discuss: * Invalidate authenticated user session when CSRF token check fails. * Config the general rules in a Service method which will be used when dete= rmining the actual securityCsrfToken value in constructor of RequestMap cla= ss. > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java= , CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch= , OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patc= h, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.pat= ch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306_Pl= ugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11= 306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT wit= h a "time out").=20 > They are stored in the user sessions (for AJAX calls and unauthenticated = HTTP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified= during POST request. > # In *controllers* a new csrf-token attribute is added to the security ta= g to exempt or force CSRF token check.=20 > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise = the change. Using <@ofbizUrl> macro to generate the CSRF token means there = is no need to manually add the CSRF token field to each form in the ftl fil= es. It will save time for users doing custom implementation and maintenance= . While there is CSRF token in the form URL, the token is invalidated duri= ng form submission. So it's uniqueand harmless even though the CSRF token o= f the form submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is a= dded through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This t= oken will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user l= ogs out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF toke= n check. > * RequestMap configured with 'post' or 'all' method will be subjected to = CSRF token check. (Note there are discussions that RequestMap with =E2=80= =98all=E2=80=99 method should also not be subjected to CSRF token check. Th= is will be done after ensuring a separate uri is used when posting changes.= ) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override th= e general rules above. > To implement: > * Allow token map size to be configurable in properties. > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run insi= de the constructor of RequestMap class) when determining the final security= CsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)