[PLUTO-768] Introduce CSRF protection for the ACTION_PHASE via Spring Security - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.1.0
Component/s: portal driver, portlet container
Labels:
None

Description

This feature will add Cross-Site Request Forgery CSRF protection for the ACTION_PHASE of the portlet lifecycle via Spring Security.

Specifically, it will ensure that the Spring Security _csrf parameter is added to every javax.portlet.ActionURL generated by Pluto's portlet container. It will also utilize the "springSecurityFilterChain" in order to verify that the value of the _csrf parameter is the correct value before invoking the ACTION_PHASE of the portlet lifecycle. This works for normal ActionURLs as well as Portlet Hub "Ajax" ActionURLs and "Partial" ActionURLs.

This feature does not secure any other phases of the portlet lifecycle (such as the RESOURCE_PHASE). It is important to note that if a portlet developer uses an XmlHttpRequest (XHR) to submit a form via HTTP POST with a javax.portlet.ResourceURL, then it is still incumbent upon the portlet developer to leverage some kind of CSRF protection.

Attachments

Activity

People

Assignee:: Neil Griffin (Inactive)

Reporter:: Neil Griffin (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Apr/19 15:41

Updated:: 14/Dec/22 14:37

Resolved:: 05/Apr/19 22:38