[Esapi-user] CSRF JSF solutions

Sebastian smarichal at seciu.edu.uy
Tue Mar 22 10:32:14 EDT 2011


Hi Eric and Crhis,

some ago i sent an email asking for some help to configure CSRF Guard 
but there wasn't any reply.
Im pasting the mail here:

Hi,

Some time ago I tried CSRF 2.2 and it worked well but it hadn't AJAX 
Support, so i decided to just wait some time and see if a new release 
was done with ajax support.

Now im trying CSRF Guard 3.0.0.503 and i found that it has Ajax Support, 
great! The matter is that i couldn't configure it like the 2.2 version. 
In the version 2.2 i just modified the configuration file like this:

org.owasp.csrfguard.handler.JavaScriptHandler=org.owasp.csrfguard.handlers.JavaScriptHandler 

org.owasp.csrfguard.handler.JavaScriptHandler.SearchPattern=(?i)</body>
org.owasp.csrfguard.handler.JavaScriptHandler.ReplaceText=${update}\n</body> 


Configuring the JavaScriptHandler was enough to get the CSRF protection 
active and working well, but now i dont know how can i do to configure 
CSRF Guard along all the application!

Thanks!

Sebastian




Eric Sheridan wrote:
> Chris - thanks for the heads up.
>
> Sebastian - can you let me know what problems you had? I'm trying to
> elevate CSRFGuard 3.0 to BETA, thus the need to eliminate bugs and
> improve usability.
>
> -Eric
>
> On 3/21/11 6:57 PM, Chris Schmidt wrote:
>   
>> Hi Sebastian - I am curious as to what kinds of issues you encountered when
>> trying to get CSRFGuard to work with JSF. I have also included Eric Sheridan
>> on this email, the maintainer of the CSRFGuard project.
>>
>> -----Original Message-----
>> From: esapi-user-bounces at lists.owasp.org
>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
>> Sent: Monday, March 21, 2011 8:00 AM
>> To: esapi-user at lists.owasp.org
>> Subject: [Esapi-user] CSRF JSF solutions
>>
>> Hi, some days ago i tried to configure CSRFGuard in a JSF proyect but i
>> couldn't do it successfully. So i found another solution here
>> http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
>>
>> It is much simpler than CSRFGuard, it hasn't advanced configuration options
>> but it seems to works fine!!
>>
>> Cheers,
>> Sebastián
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>>     
>
>
>   



More information about the Esapi-user mailing list