From notifications-return-30418-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Thu Feb 6 17:35:04 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CF17118064E for ; Thu, 6 Feb 2020 18:35:03 +0100 (CET) Received: (qmail 31554 invoked by uid 500); 6 Feb 2020 17:35:03 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 31543 invoked by uid 99); 6 Feb 2020 17:35:03 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Feb 2020 17:35:03 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id CC4D5E3146 for ; Thu, 6 Feb 2020 17:35:01 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 6D54D78069F for ; Thu, 6 Feb 2020 17:35:00 +0000 (UTC) Date: Thu, 6 Feb 2020 17:35:00 +0000 (UTC) From: "Jacques Le Roux (Jira)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (OFBIZ-11306) POC for CSRF Token MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-11306?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D170= 31790#comment-17031790 ]=20 Jacques Le Roux commented on OFBIZ-11306: ----------------------------------------- Hi James, Now that OFBIZ-11329 is closed, here is my last patch [^OFBIZ-11306.patch]= =20 Not much changes since your last (most of my recent work was on setUserTime= Zone): * The cache size for the Tokens Map that stores the CSRF tokens, removeEld= estEntry is used to get above csrf.cache.size (in security.properties) * By default the CSRF defense is enabled, developers need to disable it: c= srf-defense-enabled in requestHandler.properties * Also some formatting, mostly in new files. Some questions still pending: * I did not remove changes in TopAppBar.ftl and AppBarClose.ftl. But why d= o we need a crsf token there? It's about help, so only content, so is idemp= otent, isn't? * What about my point on RequestHandlerExceptionAllowExternalRequests? * You wrote {quote}Switched to UtilCache (instead of http sessions) to store tokens aft= er user login, as some pages contain links to other webapps e.g. acctg tran= s page contains links to partymgr's viewprofile. Still using sessions to st= ore tokens for ajax and before user login. {quote} Could we not do the same for Ajax inter webapps calls? I understand that fo= r HTTP requests partyId is used after login. For Ajax requests we have not = always a such ID. Maybe we could use userLogin and PartyId which has (somet= imes?/most of the time?) present. Or put in a specific ID? To be continued.= .. > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java= , CsrfUtil.java, OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch= , OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patc= h, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.pat= ch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.pa= tch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plug= ins.patch, OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT wit= h a "time out").=20 > They are stored in the user sessions (for AJAX calls and unauthenticated = HTTP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified= during POST request. > # In *controllers* a new csrf-token attribute is added to the security ta= g to exempt or force CSRF token check.=20 > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise = the change. Using <@ofbizUrl> macro to generate the CSRF token means there = is no need to manually add the CSRF token field to each form in the ftl fil= es. It will save time for users doing custom implementation and maintenance= . While there is CSRF token in the form URL, the token is invalidated duri= ng form submission. So it's uniqueand harmless even though the CSRF token o= f the form submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is a= dded through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This t= oken will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user l= ogs out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF toke= n check. > * RequestMap configured with 'post' or 'all' method will be subjected to = CSRF token check. (Note there are discussions that RequestMap with =E2=80= =98all=E2=80=99 method should also not be subjected to CSRF token check. Th= is will be done after ensuring a separate uri is used when posting changes.= ) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override th= e general rules above. > To implement: > * -Allow token map size to be configurable in properties.- OK that's done= locally > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run insi= de the constructor of RequestMap class) when determining the final security= CsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)