[Esapi-user] CSRF JSF solutions

Sebastian smarichal at seciu.edu.uy
Tue Mar 22 12:04:58 EDT 2011


Eric, thanks for the reply!
I configured everything as you recommend but when i try to access to any 
page im getting this error:

12:47:18,848 ERROR [[JavaScriptServlet]] Servlet.service() para servlet 
JavaScriptServlet lanzó excepción
java.lang.NullPointerException
    at 
org.owasp.csrfguard.servlet.JavaScriptServlet.writeJavaScript(JavaScriptServlet.java:146)
    at 
org.owasp.csrfguard.servlet.JavaScriptServlet.doGet(JavaScriptServlet.java:97)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at 
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at 
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at 
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at 
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at 
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at 
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at 
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)

I downloaded source code (Csrf guard 3.0.0.503)

private void writeJavaScript(HttpServletRequest request, 
HttpServletResponse response) throws IOException {
*        HttpSession session = request.getSession(true); --> line 21*

so i guess that the source code doesnt match with the binary because in 
that line there isn't a possilble null pointer exception.

What can i do to solve it?

Thanks!
Sebastián

Eric Sheridan wrote:
> Sebastian,
>
> Not sure why you didn't get a replay. While I was addmitedly poor at
> responses with the 2.x release, I have been better with the 3.x series.
> Sorry about that.
>
> The 3.x series is completely different in terms of Ajax and the
> JavaScriptHandler. Essentially you have to map a servlet in web.xml and
> include a <script> tag with a src set to the URI of the servlet. The
> rest is 'magic'.
>
> If you have spare time, I'd be interested in your thoughts on the
> current user manual: http://www.owasp.org/index.php/CSRFGuard_3_User_Manual
>
> More specifically, would it help address your installation/configuration
> troubles below had it been available to you during your initial
> go-around? I'm hoping this thing can help alleviate such pains.
>
> -Eric
>
> On 3/22/11 10:32 AM, Sebastian wrote:
>   
>> Hi Eric and Crhis,
>>
>> some ago i sent an email asking for some help to configure CSRF Guard
>> but there wasn't any reply.
>> Im pasting the mail here:
>>
>> Hi,
>>
>> Some time ago I tried CSRF 2.2 and it worked well but it hadn't AJAX
>> Support, so i decided to just wait some time and see if a new release
>> was done with ajax support.
>>
>> Now im trying CSRF Guard 3.0.0.503 and i found that it has Ajax Support,
>> great! The matter is that i couldn't configure it like the 2.2 version.
>> In the version 2.2 i just modified the configuration file like this:
>>
>> org.owasp.csrfguard.handler.JavaScriptHandler=org.owasp.csrfguard.handlers.JavaScriptHandler
>>
>> org.owasp.csrfguard.handler.JavaScriptHandler.SearchPattern=(?i)</body>
>> org.owasp.csrfguard.handler.JavaScriptHandler.ReplaceText=${update}\n</body>
>>
>>
>> Configuring the JavaScriptHandler was enough to get the CSRF protection
>> active and working well, but now i dont know how can i do to configure
>> CSRF Guard along all the application!
>>
>> Thanks!
>>
>> Sebastian
>>
>>
>>
>>
>> Eric Sheridan wrote:
>>     
>>> Chris - thanks for the heads up.
>>>
>>> Sebastian - can you let me know what problems you had? I'm trying to
>>> elevate CSRFGuard 3.0 to BETA, thus the need to eliminate bugs and
>>> improve usability.
>>>
>>> -Eric
>>>
>>> On 3/21/11 6:57 PM, Chris Schmidt wrote:
>>>  
>>>       
>>>> Hi Sebastian - I am curious as to what kinds of issues you
>>>> encountered when
>>>> trying to get CSRFGuard to work with JSF. I have also included Eric
>>>> Sheridan
>>>> on this email, the maintainer of the CSRFGuard project.
>>>>
>>>> -----Original Message-----
>>>> From: esapi-user-bounces at lists.owasp.org
>>>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
>>>> Sent: Monday, March 21, 2011 8:00 AM
>>>> To: esapi-user at lists.owasp.org
>>>> Subject: [Esapi-user] CSRF JSF solutions
>>>>
>>>> Hi, some days ago i tried to configure CSRFGuard in a JSF proyect but i
>>>> couldn't do it successfully. So i found another solution here
>>>> http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
>>>>
>>>> It is much simpler than CSRFGuard, it hasn't advanced configuration
>>>> options
>>>> but it seems to works fine!!
>>>>
>>>> Cheers,
>>>> Sebastián
>>>> _______________________________________________
>>>> Esapi-user mailing list
>>>> Esapi-user at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>>>
>>>>     
>>>>         
>>>   
>>>       
>
>
>   



More information about the Esapi-user mailing list