[Owasp-csrfguard] First implementation of csrfguard getting errors.

Patrick Radtke pradtke at stanford.edu
Fri Aug 26 12:46:01 EDT 2011


What version are you using?
If you are building from github let me know the commit.

On 8/25/11 5:45 PM, Steve Dittmann wrote:
> Hello,
>
> This is my first attempt to implement csrfguard.
>
> I've added the Owasp.CsrfGuard.jar to the WEB-INF\lib and 
> the Owasp.CsrfGuard.properties to the WEB-INF folder.
>
> It also has been added to the classpath:
>
> CLASSPATH=;contrib.jar;;:\bea\WLSERV~1.0\common\eval\pointbase\lib\pbclient51.jar;C:\bea\WLSERV~1.0\server\lib\xqrl.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\com.ibm.mq.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\prop\log4j.properties;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\Owasp.CsrfGuard.jar;
>
> I'm receiving the below errors on my localhost when I attempt to 
> access the login page.
>
>
> Cutoff Date is Wed Aug 24 17:22:47 PDT 2011
> <Aug 25, 2011 5:23:10 PM PDT> <Warning> <HTTP> <BEA-101162> <User 
> defined listener org.owasp.csrfguard.CsrfGuardListener failed: 
> java.lang.RuntimeException: java.lang.NullPointerException.
> java.lang.RuntimeException: java.lang.NullPointerException
>         at 
> org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:49)
>         at 
> org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
>         at 
> weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
>         at 
> weblogic.servlet.internal.session.MemorySessionData.<init>(MemorySessionData.java:10)
>         at 
> weblogic.servlet.internal.session.MemorySessionContext.getNewSession(MemorySessionContext.java:28)
>         Truncated. see log file for complete stacktrace
> java.lang.NullPointerException
>         at java.io.File.<init>(File.java:194)
>         at 
> org.owasp.csrfguard.CsrfGuardListener.getResourceStream(CsrfGuardListener.java:72)
>         at 
> org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:46)
>         at 
> org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
>         at 
> weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
>         Truncated. see log file for complete stacktrace
> >
> <Aug 25, 2011 5:23:10 PM PDT> <Error> <HTTP> <BEA-101020> 
> <[weblogic.servlet.internal.WebAppServletContext at 19de9c9 - Servlet 
> failed with Exception
> java.lang.NullPointerException
>         at 
> org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:53)
>         at 
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
>         at 
> weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
>         at 
> weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
>         at weblogic.security.service.SecurityManager.runAs(Unknown Source)
>         Truncated. see log file for complete stacktrace
>
>
> Below is the Web.xml:
>
> <web-app>
> <display-name>SDDWeb</display-name>
> <context-param>
> <param-name>Owasp.CsrfGuard.Config</param-name>
> <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
> </context-param>
> <context-param>
> <param-name>Owasp.CsrfGuard.Config.Print</param-name>
> <param-value>true</param-value>
> </context-param>
> <listener>
> <listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
> </listener>
>
>
> <filter>
> <filter-name>CSRFGuard</filter-name>
> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>CSRFGuard</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
>
> <filter>
> <filter-name>SessionFilter</filter-name>
> <filter-class>com.sig.sdd.ui.utils.SddSessionFilter</filter-class>
> <init-param>
> <param-name>findSessionAttribute</param-name>
> <param-value>user</param-value>
> </init-param>
> <init-param>
> <param-name>message</param-name>
> <param-value>error.session.expired</param-value>
> </init-param>
> <init-param>
> <param-name>notFoundFoward</param-name>
> <param-value>/sdd.do</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>SessionFilter</filter-name>
> <url-pattern>*.jsp</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>SessionFilter</filter-name>
> <url-pattern>*.do</url-pattern>
> </filter-mapping>
> <listener>
> <listener-class>
>              com.sig.sdd.ui.utils.ReceiptListener
> </listener-class>
> </listener>
> <listener>
> <listener-class>com.sig.sdd.ui.utils.DynaContentInitListener</listener-class>
> </listener>
> <servlet>
> <servlet-name>action</servlet-name>
> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
> <init-param>
> <param-name>config</param-name>
> <param-value>/WEB-INF/struts-config.xml</param-value>
> </init-param>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <!-- Action Servlet Mapping -->
> <servlet-mapping>
> <servlet-name>action</servlet-name>
> <url-pattern>*.do</url-pattern>
> </servlet-mapping>
> <servlet>
> <servlet-name>AddressBook</servlet-name>
> <servlet-class>com.eXtropia.app.servlet.ExtropiaServlet</servlet-class>
> <init-param>
> <param-name>ConfigFile</param-name>
> <param-value>/WEB-INF/addressbook.xml</param-value>
> </init-param>
> <init-param>
> <param-name>Reloadable</param-name>
> <param-value>true</param-value>
> </init-param>
> <display-name>AddressBook</display-name>
> </servlet>
> <servlet-mapping>
> <servlet-name>AddressBook</servlet-name>
> <url-pattern>AddressBook</url-pattern>
> </servlet-mapping>
> <servlet>
> <servlet-name>JavaScriptServlet</servlet-name>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> <init-param>
> <param-name>source-file</param-name>
> <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
> </init-param>
> <init-param>
> <param-name>inject-into-forms</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>inject-into-attributes</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>domain-strict</param-name>
> <param-value>false</param-value>
> </init-param>
> <init-param>
> <param-name>referer-pattern</param-name>
> <param-value>.*localhost.*</param-value>
> </init-param>
> </servlet>
>
> <servlet-mapping>
> <servlet-name>JavaScriptServlet</servlet-name>
> <url-pattern>/JavaScriptServlet</url-pattern>
> </servlet-mapping>
> <!-- The Welcome File List -->
> <welcome-file-list>
> <welcome-file>index.jsp</welcome-file>
> </welcome-file-list>
> <!-- Application Tag Library Descriptor -->
> <taglib>
> <taglib-uri>/WEB-INF/app.tld</taglib-uri>
> <taglib-location>/WEB-INF/app.tld</taglib-location>
> </taglib>
> <!-- Struts Tag Library Descriptors -->
> <taglib>
> <taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
> <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
> </taglib>
> <taglib>
> <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
> <taglib-location>/WEB-INF/struts-html.tld</taglib-location>
> </taglib>
> <taglib>
> <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
> <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
> </taglib>
>
> <taglib>
> <taglib-uri>/view-taglib</taglib-uri>
> <taglib-location>/WEB-INF/view.tld</taglib-location>
> </taglib>
> <taglib>
> <taglib-uri>/webdb-taglib</taglib-uri>
> <taglib-location>/WEB-INF/webdb.tld</taglib-location>
> </taglib>
> <taglib>
> <taglib-uri>/auth-taglib</taglib-uri>
> <taglib-location>/WEB-INF/auth.tld</taglib-location>
> </taglib>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
> <error-page>
> <error-code>404</error-code>
> <location>error.jsp</location>
> </error-page>
> <error-page>
> <error-code>500</error-code>
> <location>error.jsp</location>
> </error-page>
> </web-app>
>
>
> Any ideas?
>
> Thanks in advance.
>
> Steve
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110826/3f1aadb7/attachment-0001.html 


More information about the Owasp-csrfguard mailing list