Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 5908D1661BF for ; Tue, 25 Jul 2017 06:59:37 +0200 (CEST) Received: (qmail 40043 invoked by uid 500); 25 Jul 2017 04:59:36 -0000 Mailing-List: contact dev-help@openmeetings.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openmeetings.apache.org Delivered-To: mailing list dev@openmeetings.apache.org Received: (qmail 40032 invoked by uid 99); 25 Jul 2017 04:59:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2017 04:59:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id CA10CC3936 for ; Tue, 25 Jul 2017 04:59:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.01 X-Spam-Level: ** X-Spam-Status: No, score=2.01 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id WNnHRG9mNqr3 for ; Tue, 25 Jul 2017 04:59:26 +0000 (UTC) Received: from p3plsmtpa08-03.prod.phx3.secureserver.net (p3plsmtpa08-03.prod.phx3.secureserver.net [173.201.193.104]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A6FC65F23A for ; Tue, 25 Jul 2017 04:59:25 +0000 (UTC) Received: from Coscend ([76.186.214.195]) by :SMTPAUTH: with SMTP id Zrvkdb4ppSTYcZrvkdzMDd; Mon, 24 Jul 2017 21:58:48 -0700 Reply-To: From: "Coscend@OM" To: Subject: OM 3.3.0: CSRF Solution via Reverse Proxy Server Date: Mon, 24 Jul 2017 23:58:45 -0500 Organization: Coscend Communications Solutions Message-ID: <000501d30502$b2311170$16933450$@Coscend.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01D304D8.C95D7A70" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdMFAaYcsyvaoJY/QPWGsExoovnFzg== Content-Language: en-us X-Antivirus: AVG (VPS 170724-8, 07/24/2017), Outbound message X-Antivirus-Status: Clean X-CMAE-Envelope: MS4wfI8TFuAESw8jUU3gW7Migr4wkrLHCX/UeyIS41aBeglA4bzHUsFqld1NWHGKQ9ZbKQ8c6wFPOznoqNFsiLtmoyFltm/ae39p+OOMW0yotpdBOyZ9k7Q8 xtKlKaf1s7APkbN0uMll4syZIUke09sKRFyybAJeJTq7gDvEmw0esDG8jtQbMp7f2/vhEb6h1suKDg== ------=_NextPart_000_0006_01D304D8.C95D7A70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear OpenMeetings Developers, Congratulations on beefing up Web content security of OpenMeetings in 3.3.0, including XSS, CSRF and requests via security headers! Your guidance in the a reverse proxy scenario would be appreciated. In a reverse proxy use case, the origin site request is changed by the proxy server. That is, the IP and port of product's server is replaced with the proxy server's IP and port number. This will be perceived incorrectly as CSRF attack. Hence, it will be blocked by Application.java @ 151 ------------------------------ getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() { . }); @ 172 Would you provide us guidance on how to find a solution? (1) Temporary workaournd: How to disable CSRF feature so as to be able to access via proxy? (Removing lines 152-172 will give Java illegalArgumentException.) (2) Long-term: Have CSRF and access through proxy server Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly. ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html --- This email has been checked for viruses by AVG. http://www.avg.com ------=_NextPart_000_0006_01D304D8.C95D7A70--