Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6BA3E1661EF for ; Tue, 25 Jul 2017 07:08:34 +0200 (CEST) Received: (qmail 64571 invoked by uid 500); 25 Jul 2017 05:08:33 -0000 Mailing-List: contact dev-help@openmeetings.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openmeetings.apache.org Delivered-To: mailing list dev@openmeetings.apache.org Received: (qmail 64559 invoked by uid 99); 25 Jul 2017 05:08:33 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2017 05:08:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A2F791A0750 for ; Tue, 25 Jul 2017 05:08:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.049 X-Spam-Level: * X-Spam-Status: No, score=1.049 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, KAM_LINEPADDING=1.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 7E3Yu41cH3kb for ; Tue, 25 Jul 2017 05:08:31 +0000 (UTC) Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 121245F30C for ; Tue, 25 Jul 2017 05:08:31 +0000 (UTC) Received: by mail-io0-f169.google.com with SMTP id g35so18469981ioi.3 for ; Mon, 24 Jul 2017 22:08:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=l9iqptQ5k+jSRrq9wPFFYAR3SgxoOXUBfD0TR1XWDEo=; b=jUgfEN0dJ9jn2XmrLl9Fq63ee03WwV4aOaHoPNA+c+ov7omzaDshcG7ErNZK+HrFAe IPpNyvjq3uBy+wfz158M7FSwgEr/l7gBwk07xB8Beh3iijfuce+XXFXcIMTt5wUes6op rNcRJvE9UDFmAamNt6wqPe0/P7Y5xOCTxiKALkmk1mqfE97fF5pcguud89gs4Cg0Kros heCG3HTc11Iyd4p2LHvIdE0XF4hpXleyS+FFEbxcOPm4rmkMtMr3TtpmWE7O1jmcqt8v 3WU6oc6HNWvpcflPiLWtMsDNoJgcbUJXU9WNv1EMvbsuHIXk2BzUTyPDTotWBK4UADyV yH4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=l9iqptQ5k+jSRrq9wPFFYAR3SgxoOXUBfD0TR1XWDEo=; b=D7BxQVq590ddR/u9jWoK7f5cRXlPzouIfyD21oHQZw+9REslOBgOLqzP/xn+tpGTh4 RD51zHssd+kVAXm2FyPrKBCWNu1dOKXnTM+K01lgatA8xofOL5K0Ia4sIHabVgy+0Uzf ZbVTCOGN9uOGaGU4tbp8CM75b08iQnxaOfMpNUQWcqqJYu6jebhKRhzCIhC/Fon/PRkR M6Ie1saUaY9jdhBYQCfFLBvUrC8iE1nTNlLCqQhaAYMfRq0IUXbmabCJCGQetbyMqoK2 LgjAFSk+cCLomPVc6IJdBk1G0Jf78SVitIa86Wa7+mB9jWP72qHrpM/njjbIJW+kEIho YdEQ== X-Gm-Message-State: AIVw112JUiUOCdT20+e1tFlT6kvvxurzz98Oy0JlCkpAdWLA2cApRREA AcMzARtZuiVpRX/FhMg1QiloqOJnC128JG0= X-Received: by 10.107.6.75 with SMTP id 72mr18355185iog.79.1500959310319; Mon, 24 Jul 2017 22:08:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.86.195 with HTTP; Mon, 24 Jul 2017 22:08:29 -0700 (PDT) In-Reply-To: <000501d30502$b2311170$16933450$@Coscend.com> References: <000501d30502$b2311170$16933450$@Coscend.com> From: Maxim Solodovnik Date: Tue, 25 Jul 2017 12:08:29 +0700 Message-ID: Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server To: dev , "OM.Insights@Coscend.com" Content-Type: multipart/alternative; boundary="001a113f10ba83985b05551d52f5" --001a113f10ba83985b05551d52f5 Content-Type: text/plain; charset="UTF-8" Hello Hemant, CSRF works as expected on demo servers I believe you need to set up Rewrite rules in addition to proxy rules This should do the trick :) On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM wrote: > Dear OpenMeetings Developers, > > > > Congratulations on beefing up Web content security of OpenMeetings in > 3.3.0, > including XSS, CSRF and requests via security headers! > > > > Your guidance in the a reverse proxy scenario would be appreciated. > > > > In a reverse proxy use case, the origin site request is changed by the > proxy > server. That is, the IP and port of product's server is replaced with the > proxy server's IP and port number. This will be perceived incorrectly as > CSRF attack. Hence, it will be blocked by > > > > Application.java @ 151 > > ------------------------------ > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() { > > . > > }); @ 172 > > > > Would you provide us guidance on how to find a solution? > > (1) Temporary workaournd: How to disable CSRF feature so as to be able > to > access via proxy? (Removing lines 152-172 will give Java > illegalArgumentException.) > > (2) Long-term: Have CSRF and access through proxy server > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, > Telepresence Services, on the fly. > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > > http://www.Coscend.com/Terms_and_Conditions.html > > > > > > > > > > > > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > -- WBR Maxim aka solomax --001a113f10ba83985b05551d52f5--