[Esapi-user] CSRF JSF solutions

Eric Sheridan eric.sheridan at owasp.org
Tue Mar 22 10:48:15 EDT 2011


Not sure why you didn't get a replay. While I was addmitedly poor at
responses with the 2.x release, I have been better with the 3.x series.
Sorry about that.

The 3.x series is completely different in terms of Ajax and the
JavaScriptHandler. Essentially you have to map a servlet in web.xml and
include a <script> tag with a src set to the URI of the servlet. The
rest is 'magic'.

If you have spare time, I'd be interested in your thoughts on the
current user manual: http://www.owasp.org/index.php/CSRFGuard_3_User_Manual

More specifically, would it help address your installation/configuration
troubles below had it been available to you during your initial
go-around? I'm hoping this thing can help alleviate such pains.


On 3/22/11 10:32 AM, Sebastian wrote:
> Hi Eric and Crhis,
> some ago i sent an email asking for some help to configure CSRF Guard
> but there wasn't any reply.
> Im pasting the mail here:
> Hi,
> Some time ago I tried CSRF 2.2 and it worked well but it hadn't AJAX
> Support, so i decided to just wait some time and see if a new release
> was done with ajax support.
> Now im trying CSRF Guard and i found that it has Ajax Support,
> great! The matter is that i couldn't configure it like the 2.2 version.
> In the version 2.2 i just modified the configuration file like this:
> org.owasp.csrfguard.handler.JavaScriptHandler=org.owasp.csrfguard.handlers.JavaScriptHandler
> org.owasp.csrfguard.handler.JavaScriptHandler.SearchPattern=(?i)</body>
> org.owasp.csrfguard.handler.JavaScriptHandler.ReplaceText=${update}\n</body>
> Configuring the JavaScriptHandler was enough to get the CSRF protection
> active and working well, but now i dont know how can i do to configure
> CSRF Guard along all the application!
> Thanks!
> Sebastian
> Eric Sheridan wrote:
>> Chris - thanks for the heads up.
>> Sebastian - can you let me know what problems you had? I'm trying to
>> elevate CSRFGuard 3.0 to BETA, thus the need to eliminate bugs and
>> improve usability.
>> -Eric
>> On 3/21/11 6:57 PM, Chris Schmidt wrote:
>>> Hi Sebastian - I am curious as to what kinds of issues you
>>> encountered when
>>> trying to get CSRFGuard to work with JSF. I have also included Eric
>>> Sheridan
>>> on this email, the maintainer of the CSRFGuard project.
>>> -----Original Message-----
>>> From: esapi-user-bounces at lists.owasp.org
>>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
>>> Sent: Monday, March 21, 2011 8:00 AM
>>> To: esapi-user at lists.owasp.org
>>> Subject: [Esapi-user] CSRF JSF solutions
>>> Hi, some days ago i tried to configure CSRFGuard in a JSF proyect but i
>>> couldn't do it successfully. So i found another solution here
>>> http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
>>> It is much simpler than CSRFGuard, it hasn't advanced configuration
>>> options
>>> but it seems to works fine!!
>>> Cheers,
>>> Sebastián
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user

More information about the Esapi-user mailing list