[Owasp-csrfguard] Anyone still on this list?
jim.manico at owasp.org
Sun Oct 31 23:54:46 EDT 2010
I have great news!
Eric Sheridan, the original author of CSRGGuard, is stepping back into
From Eric this morning:
> I have renewed energy to begin actively working on and maintaining
this project against, starting ASAP. There is a significant amount of
code refactoring that I will be doing (as I wrote most code over 2 yrs
ago) followed by a series of usability and bug update
I'll help some as well.
Can you think of anything that needs to be done to make CSRFGuard a more
production quality product? Do we need more documentation? Should we get
this project into SonaType/Maven? What else should we do to make
CSRFGuard the best CSRF defense project on the planet? :)
Please let us know here on the list, or add a new entry to the CSRFGuard
code repository at http://code.google.com/p/owaspcsrfguard/issues/entry
Aloha and thanks all,
> I would love to see the project keep going, and I am willing to take the
> lead on it if needed.
> To use CSRFGuard at partnet we needed to have the tokens shared across
> multiple webapps deployed on the same server. The changes we submitted
> have not been included in any release. Our changes optionally store the
> CSRF tokens on the subject with a JAAS login module. It also adds a
> interface for different token generating strategies, since we weren't
> happy with the existing strategy. Here is a link to more details
> For our non-struts2 projects we use CSRFGuard (our custom build of it) but
> we built a struts2 solution that works with CSRFGuard projects. For
> struts2 projects we built an interceptor that enforces the token. The
> nice thing about the interceptor is we can annotate the actions as needing
> forgery protection or not (it can be either black-list or white-list). We
> also changed the jsp side so that struts tags add the tokens for forms and
> links and buttons and so on. If people our interested in our struts2
> solution I'm sure I could get approval to contribute this to owasp (or
> - Cam
>> Why thank you for that kind comment, the podcast is a labor of love :)
>> Have your submitted changes to CSRF guard been approved?
>> Do you have any interest in taking lead on the CSRF Guard project,
>> Cameron? It should not take up much of your time once we get back to
>> production quality, I'll help, It's high visibility, it's in deep need of
>> fine-tuning, and may do great things for your career.
>> Thanks again, and let us know if you are interested!
>> - Jim
>> -----Original Message-----
>> From: Cameron Morris [mailto:cmorris at part.net]
>> Sent: Friday, October 29, 2010 9:08 PM
>> To: Owasp-csrfguard at lists.owasp.org; Jim Manico
>> Subject: RE: [Owasp-csrfguard] Anyone still on this list?
>> Howdy Mr. Manico.
>> I love the podcast. Keep up the good work.
>> I'm still on this. I submitted some changes to CSRFGuard about a year
>> ago and stayed on the list to hear about new releases and changes.
More information about the Owasp-csrfguard