[Owasp-csrfguard] Owasp-csrfguard Digest, Vol 14, Issue 8

Steve Dittmann sdittm1 at gmail.com
Mon Aug 29 15:00:09 EDT 2011


Any ideas?

Thanks.
On Aug 26, 2011 9:55 AM, "Steve Dittmann" <sdittm1 at gmail.com> wrote:
> Hi Patrick,
>
> I used the download from
> https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
>
> Downloads
>
> OWASP CSRFGuard 3.0.0.503
> (ALPHA)<
https://github.com/downloads/esheri3/OWASP-CSRFGuard/Owasp-CsrfGuard-3.0.0.503.tar.gz
>
> -
> download the latest development release with binary and associated
> configuration files *(recommended)*.
>
> Steve
>
>
> On Fri, Aug 26, 2011 at 9:46 AM, <owasp-csrfguard-request at lists.owasp.org
>wrote:
>
>> Send Owasp-csrfguard mailing list submissions to
>> owasp-csrfguard at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>> or, via email, send a message with subject or body 'help' to
>> owasp-csrfguard-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>> owasp-csrfguard-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Owasp-csrfguard digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: First implementation of csrfguard getting errors.
>> (Patrick Radtke)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Fri, 26 Aug 2011 09:46:01 -0700
>> From: Patrick Radtke <pradtke at stanford.edu>
>> Subject: Re: [Owasp-csrfguard] First implementation of csrfguard
>> getting errors.
>> To: owasp-csrfguard at lists.owasp.org
>> Message-ID: <4E57CDC9.9080203 at stanford.edu>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> What version are you using?
>> If you are building from github let me know the commit.
>>
>> On 8/25/11 5:45 PM, Steve Dittmann wrote:
>> > Hello,
>> >
>> > This is my first attempt to implement csrfguard.
>> >
>> > I've added the Owasp.CsrfGuard.jar to the WEB-INF\lib and
>> > the Owasp.CsrfGuard.properties to the WEB-INF folder.
>> >
>> > It also has been added to the classpath:
>> >
>> >
>>
CLASSPATH=;contrib.jar;;:\bea\WLSERV~1.0\common\eval\pointbase\lib\pbclient51.jar;C:\bea\WLSERV~1.0\server\lib\xqrl.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\com.ibm.mq.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\prop\log4j.properties;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\Owasp.CsrfGuard.jar;
>> >
>> > I'm receiving the below errors on my localhost when I attempt to
>> > access the login page.
>> >
>> >
>> > Cutoff Date is Wed Aug 24 17:22:47 PDT 2011
>> > <Aug 25, 2011 5:23:10 PM PDT> <Warning> <HTTP> <BEA-101162> <User
>> > defined listener org.owasp.csrfguard.CsrfGuardListener failed:
>> > java.lang.RuntimeException: java.lang.NullPointerException.
>> > java.lang.RuntimeException: java.lang.NullPointerException
>> > at
>> >
>>
org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:49)
>> > at
>> >
>>
org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
>> > at
>> >
>>
weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
>> > at
>> >
>>
weblogic.servlet.internal.session.MemorySessionData.<init>(MemorySessionData.java:10)
>> > at
>> >
>>
weblogic.servlet.internal.session.MemorySessionContext.getNewSession(MemorySessionContext.java:28)
>> > Truncated. see log file for complete stacktrace
>> > java.lang.NullPointerException
>> > at java.io.File.<init>(File.java:194)
>> > at
>> >
>>
org.owasp.csrfguard.CsrfGuardListener.getResourceStream(CsrfGuardListener.java:72)
>> > at
>> >
>>
org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:46)
>> > at
>> >
>>
org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
>> > at
>> >
>>
weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
>> > Truncated. see log file for complete stacktrace
>> > >
>> > <Aug 25, 2011 5:23:10 PM PDT> <Error> <HTTP> <BEA-101020>
>> > <[weblogic.servlet.internal.WebAppServletContext at 19de9c9 - Servlet
>> > failed with Exception
>> > java.lang.NullPointerException
>> > at
>> > org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:53)
>> > at
>> >
>>
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
>> > at
>> >
>>
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
>> > at
>> >
>>
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
>> > at weblogic.security.service.SecurityManager.runAs(Unknown
>> Source)
>> > Truncated. see log file for complete stacktrace
>> >
>> >
>> > Below is the Web.xml:
>> >
>> > <web-app>
>> > <display-name>SDDWeb</display-name>
>> > <context-param>
>> > <param-name>Owasp.CsrfGuard.Config</param-name>
>> > <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
>> > </context-param>
>> > <context-param>
>> > <param-name>Owasp.CsrfGuard.Config.Print</param-name>
>> > <param-value>true</param-value>
>> > </context-param>
>> > <listener>
>> > <listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
>> > </listener>
>> >
>> >
>> > <filter>
>> > <filter-name>CSRFGuard</filter-name>
>> > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
>> > </filter>
>> > <filter-mapping>
>> > <filter-name>CSRFGuard</filter-name>
>> > <url-pattern>/*</url-pattern>
>> > </filter-mapping>
>> >
>> >
>> > <filter>
>> > <filter-name>SessionFilter</filter-name>
>> > <filter-class>com.sig.sdd.ui.utils.SddSessionFilter</filter-class>
>> > <init-param>
>> > <param-name>findSessionAttribute</param-name>
>> > <param-value>user</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>message</param-name>
>> > <param-value>error.session.expired</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>notFoundFoward</param-name>
>> > <param-value>/sdd.do</param-value>
>> > </init-param>
>> > </filter>
>> > <filter-mapping>
>> > <filter-name>SessionFilter</filter-name>
>> > <url-pattern>*.jsp</url-pattern>
>> > </filter-mapping>
>> > <filter-mapping>
>> > <filter-name>SessionFilter</filter-name>
>> > <url-pattern>*.do</url-pattern>
>> > </filter-mapping>
>> > <listener>
>> > <listener-class>
>> > com.sig.sdd.ui.utils.ReceiptListener
>> > </listener-class>
>> > </listener>
>> > <listener>
>> >
>>
<listener-class>com.sig.sdd.ui.utils.DynaContentInitListener</listener-class>
>> > </listener>
>> > <servlet>
>> > <servlet-name>action</servlet-name>
>> > <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
>> > <init-param>
>> > <param-name>config</param-name>
>> > <param-value>/WEB-INF/struts-config.xml</param-value>
>> > </init-param>
>> > <load-on-startup>1</load-on-startup>
>> > </servlet>
>> > <!-- Action Servlet Mapping -->
>> > <servlet-mapping>
>> > <servlet-name>action</servlet-name>
>> > <url-pattern>*.do</url-pattern>
>> > </servlet-mapping>
>> > <servlet>
>> > <servlet-name>AddressBook</servlet-name>
>> > <servlet-class>com.eXtropia.app.servlet.ExtropiaServlet</servlet-class>
>> > <init-param>
>> > <param-name>ConfigFile</param-name>
>> > <param-value>/WEB-INF/addressbook.xml</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>Reloadable</param-name>
>> > <param-value>true</param-value>
>> > </init-param>
>> > <display-name>AddressBook</display-name>
>> > </servlet>
>> > <servlet-mapping>
>> > <servlet-name>AddressBook</servlet-name>
>> > <url-pattern>AddressBook</url-pattern>
>> > </servlet-mapping>
>> > <servlet>
>> > <servlet-name>JavaScriptServlet</servlet-name>
>> >
>>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
>> > <init-param>
>> > <param-name>source-file</param-name>
>> > <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>inject-into-forms</param-name>
>> > <param-value>true</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>inject-into-attributes</param-name>
>> > <param-value>true</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>domain-strict</param-name>
>> > <param-value>false</param-value>
>> > </init-param>
>> > <init-param>
>> > <param-name>referer-pattern</param-name>
>> > <param-value>.*localhost.*</param-value>
>> > </init-param>
>> > </servlet>
>> >
>> > <servlet-mapping>
>> > <servlet-name>JavaScriptServlet</servlet-name>
>> > <url-pattern>/JavaScriptServlet</url-pattern>
>> > </servlet-mapping>
>> > <!-- The Welcome File List -->
>> > <welcome-file-list>
>> > <welcome-file>index.jsp</welcome-file>
>> > </welcome-file-list>
>> > <!-- Application Tag Library Descriptor -->
>> > <taglib>
>> > <taglib-uri>/WEB-INF/app.tld</taglib-uri>
>> > <taglib-location>/WEB-INF/app.tld</taglib-location>
>> > </taglib>
>> > <!-- Struts Tag Library Descriptors -->
>> > <taglib>
>> > <taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
>> > <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
>> > </taglib>
>> > <taglib>
>> > <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
>> > <taglib-location>/WEB-INF/struts-html.tld</taglib-location>
>> > </taglib>
>> > <taglib>
>> > <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
>> > <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
>> > </taglib>
>> >
>> > <taglib>
>> > <taglib-uri>/view-taglib</taglib-uri>
>> > <taglib-location>/WEB-INF/view.tld</taglib-location>
>> > </taglib>
>> > <taglib>
>> > <taglib-uri>/webdb-taglib</taglib-uri>
>> > <taglib-location>/WEB-INF/webdb.tld</taglib-location>
>> > </taglib>
>> > <taglib>
>> > <taglib-uri>/auth-taglib</taglib-uri>
>> > <taglib-location>/WEB-INF/auth.tld</taglib-location>
>> > </taglib>
>> >
>> > <session-config>
>> > <session-timeout>30</session-timeout>
>> > </session-config>
>> > <error-page>
>> > <error-code>404</error-code>
>> > <location>error.jsp</location>
>> > </error-page>
>> > <error-page>
>> > <error-code>500</error-code>
>> > <location>error.jsp</location>
>> > </error-page>
>> > </web-app>
>> >
>> >
>> > Any ideas?
>> >
>> > Thanks in advance.
>> >
>> > Steve
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-csrfguard mailing list
>> > Owasp-csrfguard at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>>
https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110826/3f1aadb7/attachment.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> Owasp-csrfguard mailing list
>> Owasp-csrfguard at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>>
>>
>> End of Owasp-csrfguard Digest, Vol 14, Issue 8
>> **********************************************
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110829/17f338e3/attachment-0001.html 


More information about the Owasp-csrfguard mailing list