[Owasp-csrfguard] CSRFGuard Additions

cam cmorris at part.net
Tue Jun 16 13:20:19 EDT 2009


Hello CSRFGuard Folks,

My company, PartNet, has been evaluating different CSRF prevention tools
and settled on building our own.  But, as we've been designing and
coding it, we've had interoperability with CSRFGuard in mind.  PartNet
just gave permission to donate any work on this tool to OWASP so I'd
like to discuss the merits of the contribution and design with you.

What it is:
Most of this includes integration with the struts2 framework, a struts2
interceptor, struts2 theme, and a struts2 URL tag.  The only part that
isn't struts related is a JAAS login method. 

JAAS Login Method:
One problem we faced in using CSRFGuard is a user session was not shared
across multiple applications.  We wanted CSRF protection on all the
applications deployed including links between them.  Since we use
container-managed authentication, and have our own JAAS login methods,
we built an additional login method to generate a CSRF token and store
it on the Subject.  This subject is provided to all applications even
when the user's session is unique for each application.

We modified the code that generates a token to instead use a token
generation strategy.  In addition to the default strategy, we created a
strategy that will pull the token off of the subject and provide it
instead of creating a new on.  We then made the login module use the
default strategy.

Struts2 Interceptor:
Instead of the CSRFGuard filter, the enforcement is done in a struts2
interceptor.  The main difference is the configuration is based on
annotations instead of configuration (not that one is better, some
prefer annotations).

Struts2 Theme:
Instead of re-writing the outgoing web-pages we changed the struts2
themes to include tokens in links and forms.

Struts2 URL tag:
Instead of using the jsp tags to insert tokens in custom javascript, we
found that most, if not all, of our custom javascript uses URLs built by
the struts2 URL tag.  So we build an extension of the tag to include the
token.

Interoperability
The goal is to make the CSRFGuard filter and the struts2 interceptor
interchangeable.  In other words.  The CSRFGuard re-writer would work
with the struts2 interceptor, or the CSRFGuard filter would work with
struts2 theme.

I have a more detailed design doc.  But I wanted to get something out
here to measure any interest in this project.  Please let me know what
you think.

Cameron Morris, 
Software Security Specialist 
PartNet



More information about the Owasp-csrfguard mailing list