[Owasp-csrfguard] Anyone still on this list?
cmorris at part.net
Mon Nov 1 10:36:48 EDT 2010
Fantastic. Good luck with the refactor. I'll help if needed.
One thought off the top of my head is relating to the out bound
re-writter. Our development team was turned off to the outbound
re-writter since we already have a re-writter, site-mesh, and we worried
about performance in having two. So one thought of improvement could be
making siteMesh work with CSRFGuard to insert the Tokens. I haven't put
too much thought into it, just throwing it out there for consideration.
On Mon, 2010-11-01 at 09:24 +0530, Jim Manico wrote:
> I have great news!
> Eric Sheridan, the original author of CSRGGuard, is stepping back into
> the ring.
> From Eric this morning:
> > I have renewed energy to begin actively working on and maintaining
> this project against, starting ASAP. There is a significant amount of
> code refactoring that I will be doing (as I wrote most code over 2 yrs
> ago) followed by a series of usability and bug update
> I'll help some as well.
> Can you think of anything that needs to be done to make CSRFGuard a more
> production quality product? Do we need more documentation? Should we get
> this project into SonaType/Maven? What else should we do to make
> CSRFGuard the best CSRF defense project on the planet? :)
> Please let us know here on the list, or add a new entry to the CSRFGuard
> code repository at
> Aloha and thanks all,
> > I would love to see the project keep going, and I am willing to take the
> > lead on it if needed.
> > To use CSRFGuard at partnet we needed to have the tokens shared across
> > multiple webapps deployed on the same server. The changes we submitted
> > have not been included in any release. Our changes optionally store the
> > CSRF tokens on the subject with a JAAS login module. It also adds a
> > interface for different token generating strategies, since we weren't
> > happy with the existing strategy. Here is a link to more details
> > (https://lists.owasp.org/pipermail/owasp-csrfguard/2009-August/000002.html)
> > For our non-struts2 projects we use CSRFGuard (our custom build of it) but
> > we built a struts2 solution that works with CSRFGuard projects. For
> > struts2 projects we built an interceptor that enforces the token. The
> > nice thing about the interceptor is we can annotate the actions as needing
> > forgery protection or not (it can be either black-list or white-list). We
> > also changed the jsp side so that struts tags add the tokens for forms and
> > links and buttons and so on. If people our interested in our struts2
> > solution I'm sure I could get approval to contribute this to owasp (or
> > struts2).
> > - Cam
> >> Why thank you for that kind comment, the podcast is a labor of love :)
> >> Have your submitted changes to CSRF guard been approved?
> >> Do you have any interest in taking lead on the CSRF Guard project,
> >> Cameron? It should not take up much of your time once we get back to
> >> production quality, I'll help, It's high visibility, it's in deep need of
> >> fine-tuning, and may do great things for your career.
> >> Thanks again, and let us know if you are interested!
> >> - Jim
> >> -----Original Message-----
> >> From: Cameron Morris [mailto:cmorris at part.net]
> >> Sent: Friday, October 29, 2010 9:08 PM
> >> To: Owasp-csrfguard at lists.owasp.org; Jim Manico
> >> Subject: RE: [Owasp-csrfguard] Anyone still on this list?
> >> Howdy Mr. Manico.
> >> I love the podcast. Keep up the good work.
> >> I'm still on this. I submitted some changes to CSRFGuard about a year
> >> ago and stayed on the list to hear about new releases and changes.
More information about the Owasp-csrfguard