openmeetings-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coscend@OM" <>
Subject OM 3.3.0: CSRF Solution via Reverse Proxy Server
Date Tue, 25 Jul 2017 04:58:45 GMT
Dear OpenMeetings Developers,


Congratulations on beefing up Web content security of OpenMeetings in 3.3.0,
including XSS, CSRF and requests via security headers!


Your guidance in the a reverse proxy scenario would be appreciated.  


In a reverse proxy use case, the origin site request is changed by the proxy
server.  That is, the IP and port of product's server is replaced with the
proxy server's IP and port number.  This will be perceived incorrectly as
CSRF attack.  Hence, it will be blocked by @ 151


getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {


}); @ 172


Would you provide us guidance on how to find a solution?

(1)   Temporary workaournd:  How to disable CSRF feature so as to be able to
access via proxy?  (Removing lines 152-172 will give Java

(2)   Long-term:  Have CSRF and access through proxy server


Thank you.




Hemant K. Sabat


Coscend Communications Solutions



Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.


CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:






This email has been checked for viruses by AVG.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message