[Esapi-user] CSRF JSF solutions

Eric Sheridan eric.sheridan at owasp.org
Fri Mar 25 11:19:57 EDT 2011


Been integrating several updates to the code base this week, so line
numbers are certainly off. Doesn't help that GitHub is out of sync with
local repo either. It looks like the CSRFGuard object is null in the
session, which only happens (per my experience) if the context listener
was not defined or if you are restarting the server and it attempts to
load a previously serialized session (csrfguard was not marked
serializable and it was lost in active sessions during restart). I have
code in place to fix the serialization problem. So that leaves the
context listener - did you define the context listener in web.xml?

-Eric

On 3/22/11 12:04 PM, Sebastian wrote:
> Eric, thanks for the reply!
> I configured everything as you recommend but when i try to access to any
> page im getting this error:
> 
> 12:47:18,848 ERROR [[JavaScriptServlet]] Servlet.service() para servlet
> JavaScriptServlet lanzó excepción
> java.lang.NullPointerException
>    at
> org.owasp.csrfguard.servlet.JavaScriptServlet.writeJavaScript(JavaScriptServlet.java:146)
> 
>    at
> org.owasp.csrfguard.servlet.JavaScriptServlet.doGet(JavaScriptServlet.java:97)
> 
>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
>    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>    at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 
>    at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 
>    at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> 
>    at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 
>    at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 
>    at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
> 
>    at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> 
>    at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
> 
>    at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
> 
>    at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
> 
>    at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
> 
>    at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 
>    at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 
>    at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
> 
>    at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 
>    at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
>    at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
>    at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
> 
>    at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>    at java.lang.Thread.run(Thread.java:619)
> 
> I downloaded source code (Csrf guard 3.0.0.503)
> 
> private void writeJavaScript(HttpServletRequest request,
> HttpServletResponse response) throws IOException {
> *        HttpSession session = request.getSession(true); --> line 21*
> 
> so i guess that the source code doesnt match with the binary because in
> that line there isn't a possilble null pointer exception.
> 
> What can i do to solve it?
> 
> Thanks!
> Sebastián
> 
> Eric Sheridan wrote:
>> Sebastian,
>>
>> Not sure why you didn't get a replay. While I was addmitedly poor at
>> responses with the 2.x release, I have been better with the 3.x series.
>> Sorry about that.
>>
>> The 3.x series is completely different in terms of Ajax and the
>> JavaScriptHandler. Essentially you have to map a servlet in web.xml and
>> include a <script> tag with a src set to the URI of the servlet. The
>> rest is 'magic'.
>>
>> If you have spare time, I'd be interested in your thoughts on the
>> current user manual:
>> http://www.owasp.org/index.php/CSRFGuard_3_User_Manual
>>
>> More specifically, would it help address your installation/configuration
>> troubles below had it been available to you during your initial
>> go-around? I'm hoping this thing can help alleviate such pains.
>>
>> -Eric
>>
>> On 3/22/11 10:32 AM, Sebastian wrote:
>>  
>>> Hi Eric and Crhis,
>>>
>>> some ago i sent an email asking for some help to configure CSRF Guard
>>> but there wasn't any reply.
>>> Im pasting the mail here:
>>>
>>> Hi,
>>>
>>> Some time ago I tried CSRF 2.2 and it worked well but it hadn't AJAX
>>> Support, so i decided to just wait some time and see if a new release
>>> was done with ajax support.
>>>
>>> Now im trying CSRF Guard 3.0.0.503 and i found that it has Ajax Support,
>>> great! The matter is that i couldn't configure it like the 2.2 version.
>>> In the version 2.2 i just modified the configuration file like this:
>>>
>>> org.owasp.csrfguard.handler.JavaScriptHandler=org.owasp.csrfguard.handlers.JavaScriptHandler
>>>
>>>
>>> org.owasp.csrfguard.handler.JavaScriptHandler.SearchPattern=(?i)</body>
>>> org.owasp.csrfguard.handler.JavaScriptHandler.ReplaceText=${update}\n</body>
>>>
>>>
>>>
>>> Configuring the JavaScriptHandler was enough to get the CSRF protection
>>> active and working well, but now i dont know how can i do to configure
>>> CSRF Guard along all the application!
>>>
>>> Thanks!
>>>
>>> Sebastian
>>>
>>>
>>>
>>>
>>> Eric Sheridan wrote:
>>>    
>>>> Chris - thanks for the heads up.
>>>>
>>>> Sebastian - can you let me know what problems you had? I'm trying to
>>>> elevate CSRFGuard 3.0 to BETA, thus the need to eliminate bugs and
>>>> improve usability.
>>>>
>>>> -Eric
>>>>
>>>> On 3/21/11 6:57 PM, Chris Schmidt wrote:
>>>>  
>>>>      
>>>>> Hi Sebastian - I am curious as to what kinds of issues you
>>>>> encountered when
>>>>> trying to get CSRFGuard to work with JSF. I have also included Eric
>>>>> Sheridan
>>>>> on this email, the maintainer of the CSRFGuard project.
>>>>>
>>>>> -----Original Message-----
>>>>> From: esapi-user-bounces at lists.owasp.org
>>>>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
>>>>> Sent: Monday, March 21, 2011 8:00 AM
>>>>> To: esapi-user at lists.owasp.org
>>>>> Subject: [Esapi-user] CSRF JSF solutions
>>>>>
>>>>> Hi, some days ago i tried to configure CSRFGuard in a JSF proyect
>>>>> but i
>>>>> couldn't do it successfully. So i found another solution here
>>>>> http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
>>>>>
>>>>> It is much simpler than CSRFGuard, it hasn't advanced configuration
>>>>> options
>>>>> but it seems to works fine!!
>>>>>
>>>>> Cheers,
>>>>> Sebastián
>>>>> _______________________________________________
>>>>> Esapi-user mailing list
>>>>> Esapi-user at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>>>>
>>>>>             
>>>>         
>>
>>
>>   
> 



More information about the Esapi-user mailing list