XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: Upcoming Branch
    • Fix Version/s: Upcoming Branch
    • Component/s: ALL APPLICATIONS
    • Labels:
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      CRSF tokens are generated using SecureRandom class (maybe later a JWT with a "time out").
      They are stored in the user sessions (for AJAX calls and unauthenticated HTTP calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during POST request.

      1. In controllers a new csrf-token attribute is added to the security tag to exempt or force CSRF token check.
      2. In Widget Forms a hidden token field is auto-generated.
      3. In FTL form a CSRF token is passed through <@ofbizUrl> to automatise the change. Using <@ofbizUrl> macro to generate the CSRF token means there is no need to manually add the CSRF token field to each form in the ftl files. It will save time for users doing custom implementation and maintenance. While there is CSRF token in the form URL, the token is invalidated during form submission. So it's unique and harmless even though the CSRF token of the form submission is shown in the browser address bar.
      4. For Ajax calls an ajaxPrefilter function (observer on DOM ready) is added through OfbizUtil.js (itself called at start in decorators and such)
      5. The html metadata is storing the csrf token used by JQuery AJAX. This token will not change to another value after it is consumed
      6. Csrf tokens for the user are removed from the UtilCache when the user logs out or session invalidated.

      The general rule are as follows:

      • RequestMap configured with 'get' method will be exempted from CSRF token check.
      • RequestMap configured with 'post' or 'all' method will be subjected to CSRF token check. (Note there are discussions that RequestMap with ‘all’ method should also not be subjected to CSRF token check. This will be done after ensuring a separate uri is used when posting changes.)
      • "main" request URIs are exempted from CSRF token check.
      • Setting csrf-token to false or true on the Request Map will override the general rules above.

      To Discuss:

      • Invalidate authenticated user session when CSRF token check fails.
      • Configure the general rules in a Service method (which will be run inside the constructor of RequestMap class) when determining the final securityCsrfToken value.

        Attachments

        1. OFBIZ-11306.patch
          34 kB
          James Yong
        2. OFBIZ-11306.patch
          34 kB
          Jacques Le Roux
        3. OFBIZ-11306-v2.patch
          42 kB
          James Yong
        4. OFBIZ-11306.patch
          43 kB
          Jacques Le Roux
        5. OFBIZ-11306.patch
          45 kB
          James Yong
        6. OFBIZ-11306.patch
          52 kB
          James Yong
        7. OFBIZ-11306.patch
          59 kB
          James Yong
        8. OFBIZ-11306.patch
          211 kB
          James Yong
        9. OFBIZ-11306.patch
          206 kB
          James Yong
        10. OFBIZ-11306_Plugins.patch
          10 kB
          James Yong
        11. OFBIZ-11306_Plugins.patch
          20 kB
          James Yong
        12. OFBIZ-11306.patch
          240 kB
          James Yong
        13. OFBIZ-11306_Plugins.patch
          45 kB
          James Yong
        14. OFBIZ-11306.patch
          241 kB
          James Yong
        15. OFBIZ-11306_Plugins.patch
          10 kB
          James Yong
        16. OFBIZ-11306.patch
          211 kB
          James Yong
        17. OFBIZ-11306_Plugins.patch
          0.7 kB
          James Yong
        18. OFBIZ-11306.patch
          57 kB
          James Yong
        19. OFBIZ-11306.patch
          58 kB
          James Yong
        20. CsrfTokenTransform.java
          3 kB
          Jacques Le Roux
        21. CsrfTokenAjaxTransform.java
          3 kB
          Jacques Le Roux
        22. CsrfUtil.java
          13 kB
          Jacques Le Roux
        23. OFBIZ-11306.patch
          61 kB
          Jacques Le Roux
        24. OFBIZ-11306.patch
          63 kB
          Jacques Le Roux
        25. OFBIZ-11306.patch
          62 kB
          Jacques Le Roux
        26. OFBIZ-11306.patch
          62 kB
          Jacques Le Roux
        27. OFBIZ-11306-alternative.patch
          62 kB
          Jacques Le Roux
        28. OFBIZ-11306-alternative.patch
          74 kB
          James Yong
        29. OFBIZ-11306-alternative.patch
          77 kB
          Jacques Le Roux
        30. OFBIZ-11306-alternative.patch
          76 kB
          Jacques Le Roux
        31. OFBIZ-11306-alternative.patch
          79 kB
          James Yong
        32. OFBIZ-11306-alternative.patch
          87 kB
          James Yong
        33. OFBIZ-11306-alternative.patch
          90 kB
          James Yong
        34. OFBIZ-11306-alternative.patch
          91 kB
          James Yong
        35. partyTokenMap.webtools.txt
          155 kB
          Jacques Le Roux
        36. OFBIZ-11306-alternative.patch
          96 kB
          James Yong
        37. OFBIZ-11306-alternative merged with James's.patch
          96 kB
          Jacques Le Roux
        38. OFBIZ-11306-alternative merged with James's.patch
          96 kB
          Jacques Le Roux
        39. OFBIZ-11306_Plugins.patch
          1.0 kB
          Jacques Le Roux
        40. OFBIZ-11306-alternative merged with James's.patch
          97 kB
          Jacques Le Roux

          Issue Links

            Activity

              People

              • Assignee:
                jleroux Jacques Le Roux
                Reporter:
                jamesyong James Yong
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: