openmeetings-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coscend@OM" <OM.Insig...@Coscend.com>
Subject OM 3.3.0: CSRF Solution via Reverse Proxy Server
Date Tue, 25 Jul 2017 04:58:45 GMT
Dear OpenMeetings Developers,

 

Congratulations on beefing up Web content security of OpenMeetings in 3.3.0,
including XSS, CSRF and requests via security headers!

 

Your guidance in the a reverse proxy scenario would be appreciated.  

 

In a reverse proxy use case, the origin site request is changed by the proxy
server.  That is, the IP and port of product's server is replaced with the
proxy server's IP and port number.  This will be perceived incorrectly as
CSRF attack.  Hence, it will be blocked by

 

Application.java @ 151

------------------------------

getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {

. 

}); @ 172

 

Would you provide us guidance on how to find a solution?

(1)   Temporary workaournd:  How to disable CSRF feature so as to be able to
access via proxy?  (Removing lines 152-172 will give Java
illegalArgumentException.)

(2)   Long-term:  Have CSRF and access through proxy server

 

Thank you.

 

Sincerely,

 

Hemant K. Sabat

 

Coscend Communications Solutions

 <http://www.coscend.com/> www.Coscend.com 

------------------------------------------------------------------

Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.

------------------------------------------------------------------

CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
<http://www.coscend.com/Terms_and_Conditions.html>
http://www.Coscend.com/Terms_and_Conditions.html 

 

 

 

 

 



---
This email has been checked for viruses by AVG.
http://www.avg.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message