openmeetings-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maxim Solodovnik <solomax...@gmail.com>
Subject Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Date Tue, 25 Jul 2017 05:08:29 GMT
Hello Hemant,

CSRF works as expected on demo servers

I believe you need to set up Rewrite rules in addition to proxy rules
This should do the trick :)

On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM.Insights@coscend.com>
wrote:

> Dear OpenMeetings Developers,
>
>
>
> Congratulations on beefing up Web content security of OpenMeetings in
> 3.3.0,
> including XSS, CSRF and requests via security headers!
>
>
>
> Your guidance in the a reverse proxy scenario would be appreciated.
>
>
>
> In a reverse proxy use case, the origin site request is changed by the
> proxy
> server.  That is, the IP and port of product's server is replaced with the
> proxy server's IP and port number.  This will be perceived incorrectly as
> CSRF attack.  Hence, it will be blocked by
>
>
>
> Application.java @ 151
>
> ------------------------------
>
> getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {
>
> .
>
> }); @ 172
>
>
>
> Would you provide us guidance on how to find a solution?
>
> (1)   Temporary workaournd:  How to disable CSRF feature so as to be able
> to
> access via proxy?  (Removing lines 152-172 will give Java
> illegalArgumentException.)
>
> (2)   Long-term:  Have CSRF and access through proxy server
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
>  <http://www.coscend.com/> www.Coscend.com
>
> ------------------------------------------------------------------
>
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education,
> Telepresence Services, on the fly.
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> <http://www.coscend.com/Terms_and_Conditions.html>
> http://www.Coscend.com/Terms_and_Conditions.html
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>



-- 
WBR
Maxim aka solomax

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message