From dev-return-203627-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Thu Nov 21 15:53:30 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 765A4180660 for ; Thu, 21 Nov 2019 16:53:30 +0100 (CET) Received: (qmail 44499 invoked by uid 500); 21 Nov 2019 15:53:28 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 44478 invoked by uid 99); 21 Nov 2019 15:53:28 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Nov 2019 15:53:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 2BE9DC1155 for ; Thu, 21 Nov 2019 15:53:28 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=christopherschultz-net.20150623.gappssmtp.com Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 18vef_UyrfYo for ; Thu, 21 Nov 2019 15:53:26 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.160.171; helo=mail-qt1-f171.google.com; envelope-from=chris@christopherschultz.net; receiver= Received: from mail-qt1-f171.google.com (mail-qt1-f171.google.com [209.85.160.171]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id 52812BC531 for ; Thu, 21 Nov 2019 15:53:26 +0000 (UTC) Received: by mail-qt1-f171.google.com with SMTP id w47so100038qtk.4 for ; Thu, 21 Nov 2019 07:53:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=christopherschultz-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=utTrQdGGi9m8VNEXu3lu/pwXXzGUI7ve3t4Z/pFdRA8=; b=k0yELBt34D0K9qgkqt8xBxu7LZZWgDAcI8ne7IgKIJL9Ijzz+Q0OjuAAWr8Dwtcfb4 Y0NZBmxabSYvBIP5IZfGSwv35O2aAyc1CoVBUK9jCwiuZ1y5HFLwBMKJBDm1wh0cIA1G N+So3DhMitluVxVj8wyygSZz1bXf5KS+mpZQR7ZC0L6Xzu2NW7ofyUtlMorKxQXZo3Nr SlVkqfnPxiUzIsCVhp2K0YZA7RzY4UpAmb4Ej6s6cl+wvbEcT7mfFfar0gD1dpAbNqK0 2kXlAxlHmU2yJSV7NMV8m4oCpGNoqYEbOckVHTaPqnUiw2u7WQnANQr56M3daahFhaUE 6viw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=utTrQdGGi9m8VNEXu3lu/pwXXzGUI7ve3t4Z/pFdRA8=; b=qfyxBcja7p5LaggMtR97zlS2HQcjaq3neqaTX5ZrPyV3S53DHEtY+1DyNZRwcLe8BS eNOkqXltKZBKGjIMvKKG8fLWhE8TzaioNmkQbYpfE6ZoM51glgQp3gDc1Sf3DFSIm1sC RwkW1FRTmPlf2ak3Y35RDKOcPmYR8jlG+URYmY/DEepTbNyDd0cXMa3bDzeEIY4kQb+U Zx+SXDpy3VGjI+rqevoMeVshkhihFZMdtzMJ9QfxMeZoT+fLtKNfTfuK3WCd7tKvM9lZ uO7fWc/xzYltZbcfUmwYtYQa+JgUfw171jyiKg31jvaZF7mTemhvesZ9BYwMxr9rcWLL WzHw== X-Gm-Message-State: APjAAAVs0fECzbdRPZvvhuG8f3/425qRgUVBRSFrlVzbkqfCGdACcrQ6 W3yKkDKIeEW9OA3H4WZE8s58WLzHoBc= X-Google-Smtp-Source: APXvYqyf4fGySlW/VyP0MmYeYi7SEf/Zfgdh6d2Ww8inrCK4jonH4rKo2fKLPsZqN52aqb6rqnPNKw== X-Received: by 2002:ac8:661a:: with SMTP id c26mr9006383qtp.317.1574351605615; Thu, 21 Nov 2019 07:53:25 -0800 (PST) Received: from Christophers-MacBook-Pro-2.local (pool-108-48-175-111.washdc.fios.verizon.net. [108.48.175.111]) by smtp.gmail.com with ESMTPSA id v189sm1570792qkc.37.2019.11.21.07.53.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Nov 2019 07:53:24 -0800 (PST) Subject: Re: Using CSRF prevention filter with session-timeout workflow resumption To: dev@tomcat.apache.org References: <01063108-3ef9-2dfd-a44d-32421de402a7@apache.org> From: Christopher Schultz Openpgp: preference=signencrypt Autocrypt: addr=chris@christopherschultz.net; keydata= xsFNBE+pgz4BEADd7qAWgqXcNltlB3aow0UneRmNSVjHKgekgs0ZXxG9l50Athksr/3bL/yg bxFB00JcM9W+UxLhKHiMSyzfeBHn9l9wAlLFKs0S91KXTUnRwGFtvgstvGROoqPgTVREklnm yW/KpzOwqSrQ5xHcogaT+XWlXmRbtFypi52Z5HGWlFWWgwx0vKBWHmQayPtCif0v1RDxfdV9 zziodn0TnpfBQsEgf9TDAjkNT8f0ecwTnhSihTDm1W5HCK7Pm5DfUtree1Oh6Ncz2ljlUO0b 3Lai9pX48eZOj7WQXPefkcv2AoUvdELkQKw3klM5YNXbXPf1KAjky+q4DQ1ydD6LkK+9cI3S TeMesTlk/tytOsaN2NH2k87sEpcumbH0AcmPFEnIYUfm4KzWdKlYA6mbV3Pk3tHSuayyJovj h/7Y7BG9p2l7D60r49hzrTPG8VxNkSliNLcSjI3QjYpfhSlqmqXyVKzdzirK1HPr1xfJStig RpLP9nWarZjoXng9N0etGwtH/8roeDPYA8x9ba1KXy/1g/i+RLx2ms+rueCpnFZxU3GZNUSp RfpdUbwCN3Zm1w5Z6SI8X2aSnWWeYzU6HMsV+P4PROnFsgxDeOpyWhyEaaVLXQtOYwcHneHb n56vSG50TkAuHs5kk/3/YDPSsqjsUPOuhKgFMh3iqMTh5DMdSwARAQABzTJDaHJpc3RvcGhl ciBTY2h1bHR6IDxjaHJpc0BjaHJpc3RvcGhlcnNjaHVsdHoubmV0PsLBegQTAQgAJAIbLwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCT6mETgIZAQAKCRDzrVyUpn9wflkxD/9IsahRqHTV /hH5nuPqVO692cQqHvPtMPO6lDb4909VN5T1i+1hFr80P0KVDL6EI78lDBJ2TThWI0o5vFdm sRlei59wsgTvkKTph5QwwOWl7OyzUDX3WbKhkNQdGf4I+/g/1s2bHaRoG30ELdL7cwUPCPrW 0KQwBy7Rtr0WbdujKOw9b/UcgyXEOE1wNcorq/E1o5/6BRYIcFQOO4sjHjGcChOpSg5ms4zb s+Xv3gOtLrbmOPRTXdvBxwJA6kkfQFHvI42kXYghTdqhBVPnHYPqUeavRsb+Yz3ghkZhj35i GfaGyXNwFBikCYjzIaj44NOkT1pU50MgIbjSJ+xoHnC20T942kekqp6wzqUM19Pa9ohsEdA1 Sf6/A7RmpZRrxSIY02ZVnGccnVjglnylVcnxrNAZC3ebxCeZPQ09FBR0Uqlsrdt7A3hlEP2F aoMTSa+hYqfWBGB7uZhcJZIsZspxm8J0txeOzYNSFDl7mF134ShRsq6dpSugCdcdeSWKliBz q0U8sIabOFLMxM0hbwkn2RG4OaurJLWXQf+7IhA/J8TizjkbdxLmR2PiTiVtrx484mpWpbF8 po/em0q/reFnL+JtOM6qlJE/Q4B6PfkchhU5vKPfmGw98t9guyw5G8YSR1rR+SOowHg4T/i2 Rezz1idKmoFpPdNFRPlOAC+d687BTQRPqYM+ARAAzEItVpzvcgZB+faUWi54lJoA8GnVxXEe OQY+7wk/P5i9GtL0UVXC53j2F87BDVXGalKgVjEVdNY3Cyx+dJ2os65gjxd6ZK18zc6N7YZB Z00XNU9nTz5XImZzHn4VmeXYMQrKO/981nCNPlV6CVdgGg9wl1Ij5Sh8SSTb8kWSo1ngx+XX 4yJNUbfSh32yMPVGI7ZcoZLm9gdgTOOnuEkeeGs/lPvYN+1Cv/YtvkPybSOSWSdHxIVU4Iko 6V7IkM1amjdwKfoeg+CLhZsbY7VLAzVtGvaF5z4rtJtCfTfhbYD0wS8afEBcvsew1HdtYDT5 AJqojeZBGDuY7JCgALc3HCy34Zzk+mi1qwvrm5i/CBMuIvjxB2MkzhHQNUD20fzdRcoIgw4J IzbqZLlOpVFehDXzKT/h5vh+Uv7s6Rz5gP5i0Rkcghw00mRBvuN8mpQnLt4hYL22cNh/tk0L Fxda7ZaPehu7ug4E5FEB0Ifm1KV18P7Kpfu8tiSLz7rl++x73o4uv4bk1ZnjO/jFsx0KLGwq VxR276ZIwsV4WpLYvJ5fR0kqqd/TOKXGSEA0eGxWTeb/fNtkYemRVoasB1+rqjh/Rz0p20o8 elkqDhpzzhrMNzEMYkLySu7npWCeWW4Nd6097+OG9BCLO+ndGmAcupdu6WMEj2UlWsQxuCYC PgsAEQEAAcLDfgQYAQgACQUCT6mDPgIbLgIpCRDzrVyUpn9wfsFdIAQZAQgABgUCT6mDPgAK CRAc8Ck/pTykWO6WD/0XlAG4D4GwzzuOfh7DG6cm/I0vmASEJkY5ghStW4GUbYosgS/btyj/ YPWzVh4HWMvuA6YYKCuz/CM3h34dR25XmHqUdOyJOCnMJ3psdv5YsytgnEdvINZALlDdBX3G sfytgS0KnVjAc92LfJOxHAsZf4zE3SU28FMX7jCgeqO3YrvkHsZ8dzzgw3QYT0J3NcYfkflb DPBXBDGrvdUuea/w6F17pctdRdt7jE3JiLFq2F9ehXOSsIwecUlqVYiCRuxblD4cJ6gKMn0y 8zllW4GyIbf/+mNLkpKoMPYnptDvcEojluHtwbkSfF5AwgJbm6pfs9a2vpGBVko+dBXGh4/T 3qNYxeGEAsI0psEJu3EZN9dYv/ZOb69DUJ6SwEKp/L7lU7C8HoLx/MpKtuJO9OS5uuAhdBSi GqfaN9zP2NxPXSwnexVK2exy/h5sUevDsnBEHmyxe5GRSrIilyijLtlYhq2W7G95poxIFZuL Db98R+7VR9Yl9uOZ6kRBJmzp9X2oB8MDHoKe4QEuiRx/5/DNxB8i2QoTWN/BfluTSfVpO5rf jSXlaUuFOnouBrWdmbaBdg+47m4IGEz129Zdf+y+ISexQ6P16ZY1oYxYlbQSaEwk0+TJ4B0C uvMHwPF3SDH2LeRx+mK2OvwnVulvj2+WdW/rIVgwhwbKmBLj40R+Uq4zD/4iRxJ5PF1ynjxR po3Izp/ZrYWrPgtBg0jUZ8DdlAiRHCFGPpccK8RvBWXmtzF4XQsV39aPBqcE3W6IcTnIMrDi 6mnqealpfiUq+4RGNfRFN9wtgViZLy/FRWi76k+vo/Jmp7/K9JblGX48D2JL9FX0w5PXkpE4 abmY1OASQUiwoJ4n1asxwEonSaWeYbI7X5IqdvevGyfYdSn4VEywdrYGtWjsWlZ/DPofPwsI bQXGY6o+wg9lDAk2L2nVTa05XuyOooUPwKLD0WrLOIxLmcbVv/tgJG03/uI4iDitSofTKnpz E+xdpfFIyw1Mb8PO4WJi0gpHmmLUbG8AMLS+8wSDFwIA4TXQFy9suXXzLuuzML+G5h9Mo5D6 q5HsIe59lhdwk7oEPZJ1NWLfLavTENQg5ObS2YT1KaFskFxxgtcU0aBytAxTjkgGRB8UunXl NJeCuTIAUxXw41P93V4Khigc5dEOG1kEDoq0dAlAE7AbL6Vzc/Go+UwivtUil3sXADOyM9PT JjLNnye+2V0ywQncJ1AG6sxICpPKzv8oYP6xwurEuKnF8DAWEHEwT+Fb277Idv1v8uMGvltp coe7olE0O+TRUtMEwtEp4g4m8ym1rJI/yfwXtHkS8QcVBA9LRqcWEna1VPlT1pk3BSq/1xQa F/4OLScBfV2JbF93sN0SLw== Message-ID: <798e80d4-3f3c-2e17-687e-e7763fdcd1be@christopherschultz.net> Date: Thu, 21 Nov 2019 10:53:23 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:55.0) Gecko/20100101 Thunderbird/55.0a1 MIME-Version: 1.0 In-Reply-To: <01063108-3ef9-2dfd-a44d-32421de402a7@apache.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 11/21/19 04:00, Mark Thomas wrote: >> All, >> >> The servlet spec defines the workflow for form-based >> authentication: if the client requests a protected resource, an >> authorization check is performed. If the user is unauthenticated, >> the login form is shown. Successful login allows the user to be >> sent to the originally-requested resource. >> >> This works great to allow users to pick-up workflows where they >> left-off in the case of session timeout: once authenticated, the >> user is sent back to the page they were trying to get to >> originally, including a potential re-POST of form data, for >> example. >> >> With the CSRF prevention filter in-place, this then causes an >> error (well, CSRF policy violation == forbidden response) because >> the nonce originally added to the request's query string no >> longer matches a valid nonce on the server. >> >> This can be considered both good and bad behavior. Good: if >> handed a forged nonce from an attacker, the nonce will not be >> valid if the user is asked to login. Session-fixation attacks >> could get an attacker around this. Bad: it completely and totally >> breaks workflow-resumption. >> >> I'm looking for a way around this because I *really* like the >> fact that you can resume a workflow after re-authenticating. >> >> (I happen to be using a 3rd-party authentication and >> authorization library implemented as a Filter and I'm having some >> issues with getting that working as well, but the problem exists >> with the stock Tomcat authenticators.) >> >> Is there a safe way to implement workflow-resumption in the >> presence of the CSRF prevention filter? Or even under *any* CSRF >> scheme? > > Use an Origin based protection? So something like CORS? I haven't dived into CORS, yet. Is it fair to say that CSRF might be a simpler and less powerful standard while CORS is a replacement for it? Or do they serve different use-cases? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3WsvMACgkQHPApP6U8 pFim4xAAkL2PrvyfhLM1LLAaJry8e12dUDxKamwziiy7jsF/Vp47ZXm/E2HUl4H3 tSrxa14C7/7p2MiNF3nWSxgI6xLUY8nSrSnJP8cok2YenkxGFaSe2z5A1AtPcaLh hSP+sT4VP0Ddnd968r/iHd2b9Z2RmQZnVT9ZICEsCd2+o/7+hNom5mK+LWqej5qB 4wmhpbLhE/nmEM697yvXw2bbLIMuhxU+aQ0XshKJKKvatmpm2Ncskjbrrov4CCfO oKYb2sj9yIfObt2B1JGPqokGWOZyoEJ9LXsXE2SZ8VFRo8vgjrkugDUWrNfb5LXY iigJH+w0sdxu/iKohxmEoEPV4Nst+yW76l9/DcMr7eDaWmpDrXO4AyQU3oc/TP8z bNcXb4QI5E1WpAT9zbaQiko9Yku+AUmaacu3pOm4npDsUWCrwwz7YoSKazimWVW6 UbGpiiYxB84cf06A0QvY7r/UnvOMYC/VsAV+S6f02FefeNOardIxzx1Rha5PBCtb 67xJK+ceuJcqmnconjcwrqMdPVEeMEkVxS8XbEKHrJmc2K+/6il7RrgYJMMFdeyy hwJihK8356/FahlrEkyfW77KPE45LphMlU8YyOQkI/FOMi9EFeTvMN/dVOroByrO ItJy+UxuHv9ZtfYNbIUoZrsvshzF7FRyMavofsWPoIQwH3pSTxw= =2BcQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org