[Owasp-csrfguard] First implementation of csrfguard getting errors.

Steve Dittmann sdittm1 at gmail.com
Thu Aug 25 20:45:45 EDT 2011


Hello,

This is my first attempt to implement csrfguard.

I've added the Owasp.CsrfGuard.jar to the WEB-INF\lib and
the Owasp.CsrfGuard.properties to the WEB-INF folder.

It also has been added to the classpath:

CLASSPATH=;contrib.jar;;:\bea\WLSERV~1.0\common\eval\pointbase\lib\pbclient51.jar;C:\bea\WLSERV~1.0\server\lib\xqrl.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\com.ibm.mq.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\prop\log4j.properties;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\Owasp.CsrfGuard.jar;

I'm receiving the below errors on my localhost when I attempt to access the
login page.


Cutoff Date is Wed Aug 24 17:22:47 PDT 2011
<Aug 25, 2011 5:23:10 PM PDT> <Warning> <HTTP> <BEA-101162> <User defined
listener org.owasp.csrfguard.CsrfGuardListener failed:
java.lang.RuntimeException: java.lang.NullPointerException.
java.lang.RuntimeException: java.lang.NullPointerException
        at
org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:49)
        at
org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
        at
weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
        at
weblogic.servlet.internal.session.MemorySessionData.<init>(MemorySessionData.java:10)
        at
weblogic.servlet.internal.session.MemorySessionContext.getNewSession(MemorySessionContext.java:28)
        Truncated. see log file for complete stacktrace
java.lang.NullPointerException
        at java.io.File.<init>(File.java:194)
        at
org.owasp.csrfguard.CsrfGuardListener.getResourceStream(CsrfGuardListener.java:72)
        at
org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:46)
        at
org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
        at
weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
        Truncated. see log file for complete stacktrace
>
<Aug 25, 2011 5:23:10 PM PDT> <Error> <HTTP> <BEA-101020>
<[weblogic.servlet.internal.WebAppServletContext at 19de9c9 - Servlet failed
with Exception
java.lang.NullPointerException
        at
org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:53)
        at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
        at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
        at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(Unknown Source)
        Truncated. see log file for complete stacktrace


Below is the Web.xml:

<web-app>
<display-name>SDDWeb</display-name>
 <context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param>
 <context-param>
<param-name>Owasp.CsrfGuard.Config.Print</param-name>
<param-value>true</param-value>
</context-param>
 <listener>
<listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
</listener>


<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<filter>
    <filter-name>SessionFilter</filter-name>
    <filter-class>com.sig.sdd.ui.utils.SddSessionFilter</filter-class>
    <init-param>
    <param-name>findSessionAttribute</param-name>
    <param-value>user</param-value>
    </init-param>
    <init-param>
    <param-name>message</param-name>
    <param-value>error.session.expired</param-value>
    </init-param>
    <init-param>
    <param-name>notFoundFoward</param-name>
    <param-value>/sdd.do</param-value>
    </init-param>
   </filter>
   <filter-mapping>
    <filter-name>SessionFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
   </filter-mapping>
    <filter-mapping>
    <filter-name>SessionFilter</filter-name>
    <url-pattern>*.do</url-pattern>
   </filter-mapping>
   <listener>
           <listener-class>
             com.sig.sdd.ui.utils.ReceiptListener
           </listener-class>
  </listener>
  <listener>

<listener-class>com.sig.sdd.ui.utils.DynaContentInitListener</listener-class>
   </listener>
  <servlet>
      <servlet-name>action</servlet-name>
      <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
      <init-param>
        <param-name>config</param-name>
        <param-value>/WEB-INF/struts-config.xml</param-value>
      </init-param>
      <load-on-startup>1</load-on-startup>
    </servlet>


    <!-- Action Servlet Mapping -->
    <servlet-mapping>
      <servlet-name>action</servlet-name>
      <url-pattern>*.do</url-pattern>
    </servlet-mapping>

    <servlet>
        <servlet-name>AddressBook</servlet-name>

<servlet-class>com.eXtropia.app.servlet.ExtropiaServlet</servlet-class>
        <init-param>
          <param-name>ConfigFile</param-name>
          <param-value>/WEB-INF/addressbook.xml</param-value>
        </init-param>
        <init-param>
         <param-name>Reloadable</param-name>
         <param-value>true</param-value>
        </init-param>
        <display-name>AddressBook</display-name>
    </servlet>

    <servlet-mapping>
            <servlet-name>AddressBook</servlet-name>
            <url-pattern>AddressBook</url-pattern>
    </servlet-mapping>


    <servlet>
         <servlet-name>JavaScriptServlet</servlet-name>

 <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
         <init-param>
             <param-name>source-file</param-name>
             <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
         </init-param>
         <init-param>
             <param-name>inject-into-forms</param-name>
             <param-value>true</param-value>
         </init-param>
         <init-param>
             <param-name>inject-into-attributes</param-name>
             <param-value>true</param-value>
         </init-param>
        <init-param>
             <param-name>domain-strict</param-name>
             <param-value>false</param-value>
        </init-param>
        <init-param>
             <param-name>referer-pattern</param-name>
             <param-value>.*localhost.*</param-value>
        </init-param>
</servlet>

<servlet-mapping>
     <servlet-name>JavaScriptServlet</servlet-name>
     <url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>


    <!-- The Welcome File List -->
    <welcome-file-list>
      <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <!-- Application Tag Library Descriptor -->
    <taglib>
      <taglib-uri>/WEB-INF/app.tld</taglib-uri>
      <taglib-location>/WEB-INF/app.tld</taglib-location>
    </taglib>

    <!-- Struts Tag Library Descriptors -->
    <taglib>
      <taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
      <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
    </taglib>

    <taglib>
      <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
      <taglib-location>/WEB-INF/struts-html.tld</taglib-location>
    </taglib>

    <taglib>
      <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
      <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
    </taglib>

    <taglib>
      <taglib-uri>/view-taglib</taglib-uri>
      <taglib-location>/WEB-INF/view.tld</taglib-location>
    </taglib>

    <taglib>
      <taglib-uri>/webdb-taglib</taglib-uri>
      <taglib-location>/WEB-INF/webdb.tld</taglib-location>
    </taglib>

    <taglib>
      <taglib-uri>/auth-taglib</taglib-uri>
      <taglib-location>/WEB-INF/auth.tld</taglib-location>
    </taglib>

  <session-config>
    <session-timeout>30</session-timeout>
  </session-config>
  <error-page>
    <error-code>404</error-code>
    <location>error.jsp</location>
  </error-page>
  <error-page>
    <error-code>500</error-code>
    <location>error.jsp</location>
  </error-page>
</web-app>


Any ideas?

Thanks in advance.

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110825/cb67e32a/attachment.html 


More information about the Owasp-csrfguard mailing list