[Owasp-csrfguard] Anyone still on this list?
cmorris at part.net
cmorris at part.net
Sat Oct 30 12:42:29 EDT 2010
I would love to see the project keep going, and I am willing to take the
lead on it if needed.
To use CSRFGuard at partnet we needed to have the tokens shared across
multiple webapps deployed on the same server. The changes we submitted
have not been included in any release. Our changes optionally store the
CSRF tokens on the subject with a JAAS login module. It also adds a
interface for different token generating strategies, since we weren't
happy with the existing strategy. Here is a link to more details
For our non-struts2 projects we use CSRFGuard (our custom build of it) but
we built a struts2 solution that works with CSRFGuard projects. For
struts2 projects we built an interceptor that enforces the token. The
nice thing about the interceptor is we can annotate the actions as needing
forgery protection or not (it can be either black-list or white-list). We
also changed the jsp side so that struts tags add the tokens for forms and
links and buttons and so on. If people our interested in our struts2
solution I'm sure I could get approval to contribute this to owasp (or
> Why thank you for that kind comment, the podcast is a labor of love :)
> Have your submitted changes to CSRF guard been approved?
> Do you have any interest in taking lead on the CSRF Guard project,
> Cameron? It should not take up much of your time once we get back to
> production quality, I'll help, It's high visibility, it's in deep need of
> fine-tuning, and may do great things for your career.
> Thanks again, and let us know if you are interested!
> - Jim
> -----Original Message-----
> From: Cameron Morris [mailto:cmorris at part.net]
> Sent: Friday, October 29, 2010 9:08 PM
> To: Owasp-csrfguard at lists.owasp.org; Jim Manico
> Subject: RE: [Owasp-csrfguard] Anyone still on this list?
> Howdy Mr. Manico.
> I love the podcast. Keep up the good work.
> I'm still on this. I submitted some changes to CSRFGuard about a year
> ago and stayed on the list to hear about new releases and changes.
More information about the Owasp-csrfguard