[Owasp-csrfguard] Anyone still on this list?

Jim Manico jim.manico at owasp.org
Mon Nov 1 11:13:58 EDT 2010

Thanks Cam. Nice suggestion. :)

Would you mind throwing this comment into the Google code tracker:


If you don't have a Google account, let me know, I'll toss it in there 
for you.

And thanks again for the offer to help. CSRFGuard really is a pretty 
amazing product - a little love will go a along way.


PS: Anyone else have outstanding issues they would like to see resolved? 
Any features you would like to see implemented? Please add your very 
wise thoughts to the CSRFGuard Google code issue tracker 
<http://code.google.com/p/owaspcsrfguard/updates/list> (In addition to 
sending thoughts to the elist here, discussion is good!)

> Fantastic.  Good luck with the refactor.  I'll help if needed.
> One thought off the top of my head is relating to the out bound
> re-writter.  Our development team was turned off to the outbound
> re-writter since we already have a re-writter, site-mesh, and we worried
> about performance in having two.  So one thought of improvement could be
> making siteMesh work with CSRFGuard to insert the Tokens.  I haven't put
> too much thought into it, just throwing it out there for consideration.
> - Cam
> On Mon, 2010-11-01 at 09:24 +0530, Jim Manico wrote:
>> I have great news!
>> Eric Sheridan, the original author of CSRGGuard, is stepping back into
>> the ring.
>>   From Eric this morning:
>>>   I have renewed energy to begin actively working on and maintaining
>> this project against, starting ASAP. There is a significant amount of
>> code refactoring that I will be doing (as I wrote most code over 2 yrs
>> ago) followed by a series of usability and bug update
>> I'll help some as well.
>> Can you think of anything that needs to be done to make CSRFGuard a more
>> production quality product? Do we need more documentation? Should we get
>> this project into SonaType/Maven? What else should we do to make
>> CSRFGuard the best CSRF defense project on the planet? :)
>> Please let us know here on the list, or add a new entry to the CSRFGuard
>> code repository at
>> Aloha and thanks all,
>> Jim
>>> I would love to see the project keep going, and I am willing to take the
>>> lead on it if needed.
>>> To use CSRFGuard at partnet we needed to have the tokens shared across
>>> multiple webapps deployed on the same server.  The changes we submitted
>>> have not been included in any release.  Our changes optionally store the
>>> CSRF tokens on the subject with a JAAS login module.  It also adds a
>>> interface for different token generating strategies, since we weren't
>>> happy with the existing strategy.  Here is a link to more details
>>> (https://lists.owasp.org/pipermail/owasp-csrfguard/2009-August/000002.html)
>>> For our non-struts2 projects we use CSRFGuard (our custom build of it) but
>>> we built a struts2 solution that works with CSRFGuard projects. For
>>> struts2 projects we built an interceptor that enforces the token.  The
>>> nice thing about the interceptor is we can annotate the actions as needing
>>> forgery protection or not (it can be either black-list or white-list).  We
>>> also changed the jsp side so that struts tags add the tokens for forms and
>>> links and buttons and so on.  If people our interested in our struts2
>>> solution I'm sure I could get approval to contribute this to owasp (or
>>> struts2).
>>> - Cam
>>>> Why thank you for that kind comment, the podcast is a labor of love :)
>>>> Have your submitted changes to CSRF guard been approved?
>>>> Do you have any interest in taking lead on the CSRF Guard project,
>>>> Cameron? It should not take up much of your time once we get back to
>>>> production quality, I'll help, It's high visibility, it's in deep need of
>>>> fine-tuning, and may do great things for your career.
>>>> Thanks again, and let us know if you are interested!
>>>> - Jim
>>>> -----Original Message-----
>>>> From: Cameron Morris [mailto:cmorris at part.net]
>>>> Sent: Friday, October 29, 2010 9:08 PM
>>>> To: Owasp-csrfguard at lists.owasp.org; Jim Manico
>>>> Subject: RE: [Owasp-csrfguard] Anyone still on this list?
>>>> Howdy Mr. Manico.
>>>> I love the podcast.  Keep up the good work.
>>>> I'm still on this.  I submitted some changes to CSRFGuard about a year
>>>> ago and stayed on the list to hear about new releases and changes.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20101101/2508a984/attachment.html 

More information about the Owasp-csrfguard mailing list