[Owasp-csrfguard] Anyone still on this list?

Cameron Morris cmorris at part.net
Mon Nov 1 10:36:48 EDT 2010


Fantastic.  Good luck with the refactor.  I'll help if needed.

One thought off the top of my head is relating to the out bound
re-writter.  Our development team was turned off to the outbound
re-writter since we already have a re-writter, site-mesh, and we worried
about performance in having two.  So one thought of improvement could be
making siteMesh work with CSRFGuard to insert the Tokens.  I haven't put
too much thought into it, just throwing it out there for consideration.

- Cam

On Mon, 2010-11-01 at 09:24 +0530, Jim Manico wrote:
> I have great news!
> 
> Eric Sheridan, the original author of CSRGGuard, is stepping back into 
> the ring.
> 
>  From Eric this morning:
> 
> >  I have renewed energy to begin actively working on and maintaining 
> this project against, starting ASAP. There is a significant amount of 
> code refactoring that I will be doing (as I wrote most code over 2 yrs 
> ago) followed by a series of usability and bug update
> 
> I'll help some as well.
> 
> Can you think of anything that needs to be done to make CSRFGuard a more 
> production quality product? Do we need more documentation? Should we get 
> this project into SonaType/Maven? What else should we do to make 
> CSRFGuard the best CSRF defense project on the planet? :)
> 
> Please let us know here on the list, or add a new entry to the CSRFGuard 
> code repository at 
> 
> Aloha and thanks all,
> Jim
> 
> > I would love to see the project keep going, and I am willing to take the
> > lead on it if needed.
> >
> > To use CSRFGuard at partnet we needed to have the tokens shared across
> > multiple webapps deployed on the same server.  The changes we submitted
> > have not been included in any release.  Our changes optionally store the
> > CSRF tokens on the subject with a JAAS login module.  It also adds a
> > interface for different token generating strategies, since we weren't
> > happy with the existing strategy.  Here is a link to more details
> > (https://lists.owasp.org/pipermail/owasp-csrfguard/2009-August/000002.html)
> >
> > For our non-struts2 projects we use CSRFGuard (our custom build of it) but
> > we built a struts2 solution that works with CSRFGuard projects. For
> > struts2 projects we built an interceptor that enforces the token.  The
> > nice thing about the interceptor is we can annotate the actions as needing
> > forgery protection or not (it can be either black-list or white-list).  We
> > also changed the jsp side so that struts tags add the tokens for forms and
> > links and buttons and so on.  If people our interested in our struts2
> > solution I'm sure I could get approval to contribute this to owasp (or
> > struts2).
> >
> > - Cam
> >
> >> Why thank you for that kind comment, the podcast is a labor of love :)
> >>
> >> Have your submitted changes to CSRF guard been approved?
> >>
> >> Do you have any interest in taking lead on the CSRF Guard project,
> >> Cameron? It should not take up much of your time once we get back to
> >> production quality, I'll help, It's high visibility, it's in deep need of
> >> fine-tuning, and may do great things for your career.
> >>
> >> Thanks again, and let us know if you are interested!
> >>
> >> - Jim
> >>
> >> -----Original Message-----
> >> From: Cameron Morris [mailto:cmorris at part.net]
> >> Sent: Friday, October 29, 2010 9:08 PM
> >> To: Owasp-csrfguard at lists.owasp.org; Jim Manico
> >> Subject: RE: [Owasp-csrfguard] Anyone still on this list?
> >>
> >> Howdy Mr. Manico.
> >>
> >> I love the podcast.  Keep up the good work.
> >>
> >> I'm still on this.  I submitted some changes to CSRFGuard about a year
> >> ago and stayed on the list to hear about new releases and changes.
> >>
> >>
> >>
> >>
> >
> 




More information about the Owasp-csrfguard mailing list