[Owasp-csrfguard] Owasp-csrfguard Digest, Vol 14, Issue 8

Patrick Radtke pradtke at stanford.edu
Mon Aug 29 15:24:09 EDT 2011


Oops, I must have forgotten to push 'send' last week.

It looks like there is a bug in how the properties file is found,
which is preventing it from trying the other fallback methods.

Assuming that the properties file is deployed

You could try setting the path to:
/WEB-INF/Owasp.CsrfGuard.properties  (note the leading slash)
which may make the fall back method work.

or

Try specifying the full file path and see if it can find it then.

-Patrick


On 8/29/11 12:00 PM, Steve Dittmann wrote:
>
> Any ideas?
>
> Thanks.
>
> On Aug 26, 2011 9:55 AM, "Steve Dittmann" <sdittm1 at gmail.com 
> <mailto:sdittm1 at gmail.com>> wrote:
> > Hi Patrick,
> >
> > I used the download from
> > https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
> >
> > Downloads
> >
> > OWASP CSRFGuard 3.0.0.503
> > 
> (ALPHA)<https://github.com/downloads/esheri3/OWASP-CSRFGuard/Owasp-CsrfGuard-3.0.0.503.tar.gz>
> > -
> > download the latest development release with binary and associated
> > configuration files *(recommended)*.
> >
> > Steve
> >
> >
> > On Fri, Aug 26, 2011 at 9:46 AM, 
> <owasp-csrfguard-request at lists.owasp.org 
> <mailto:owasp-csrfguard-request at lists.owasp.org>>wrote:
> >
> >> Send Owasp-csrfguard mailing list submissions to
> >> owasp-csrfguard at lists.owasp.org 
> <mailto:owasp-csrfguard at lists.owasp.org>
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >> or, via email, send a message with subject or body 'help' to
> >> owasp-csrfguard-request at lists.owasp.org 
> <mailto:owasp-csrfguard-request at lists.owasp.org>
> >>
> >> You can reach the person managing the list at
> >> owasp-csrfguard-owner at lists.owasp.org 
> <mailto:owasp-csrfguard-owner at lists.owasp.org>
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Owasp-csrfguard digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. Re: First implementation of csrfguard getting errors.
> >> (Patrick Radtke)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Fri, 26 Aug 2011 09:46:01 -0700
> >> From: Patrick Radtke <pradtke at stanford.edu 
> <mailto:pradtke at stanford.edu>>
> >> Subject: Re: [Owasp-csrfguard] First implementation of csrfguard
> >> getting errors.
> >> To: owasp-csrfguard at lists.owasp.org 
> <mailto:owasp-csrfguard at lists.owasp.org>
> >> Message-ID: <4E57CDC9.9080203 at stanford.edu 
> <mailto:4E57CDC9.9080203 at stanford.edu>>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> What version are you using?
> >> If you are building from github let me know the commit.
> >>
> >> On 8/25/11 5:45 PM, Steve Dittmann wrote:
> >> > Hello,
> >> >
> >> > This is my first attempt to implement csrfguard.
> >> >
> >> > I've added the Owasp.CsrfGuard.jar to the WEB-INF\lib and
> >> > the Owasp.CsrfGuard.properties to the WEB-INF folder.
> >> >
> >> > It also has been added to the classpath:
> >> >
> >> >
> >> 
> CLASSPATH=;contrib.jar;;:\bea\WLSERV~1.0\common\eval\pointbase\lib\pbclient51.jar;C:\bea\WLSERV~1.0\server\lib\xqrl.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\com.ibm.mq.jar;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\prop\log4j.properties;C:\apps\GTS\d_whsldm\deploy\d_whsldm\sdd_local\lib\Owasp.CsrfGuard.jar;
> >> >
> >> > I'm receiving the below errors on my localhost when I attempt to
> >> > access the login page.
> >> >
> >> >
> >> > Cutoff Date is Wed Aug 24 17:22:47 PDT 2011
> >> > <Aug 25, 2011 5:23:10 PM PDT> <Warning> <HTTP> <BEA-101162> <User
> >> > defined listener org.owasp.csrfguard.CsrfGuardListener failed:
> >> > java.lang.RuntimeException: java.lang.NullPointerException.
> >> > java.lang.RuntimeException: java.lang.NullPointerException
> >> > at
> >> >
> >> 
> org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:49)
> >> > at
> >> >
> >> 
> org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.session.MemorySessionData.<init>(MemorySessionData.java:10)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.session.MemorySessionContext.getNewSession(MemorySessionContext.java:28)
> >> > Truncated. see log file for complete stacktrace
> >> > java.lang.NullPointerException
> >> > at java.io.File.<init>(File.java:194)
> >> > at
> >> >
> >> 
> org.owasp.csrfguard.CsrfGuardListener.getResourceStream(CsrfGuardListener.java:72)
> >> > at
> >> >
> >> 
> org.owasp.csrfguard.CsrfGuardListener.newInstance(CsrfGuardListener.java:46)
> >> > at
> >> >
> >> 
> org.owasp.csrfguard.CsrfGuardListener.sessionCreated(CsrfGuardListener.java:24)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.EventsManager.notifySessionLifetimeEvent(EventsManager.java:257)
> >> > Truncated. see log file for complete stacktrace
> >> > >
> >> > <Aug 25, 2011 5:23:10 PM PDT> <Error> <HTTP> <BEA-101020>
> >> > <[weblogic.servlet.internal.WebAppServletContext at 19de9c9 - Servlet
> >> > failed with Exception
> >> > java.lang.NullPointerException
> >> > at
> >> > org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:53)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
> >> > at
> >> >
> >> 
> weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393)
> >> > at
> >> >
> >> 
> weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
> >> > at weblogic.security.service.SecurityManager.runAs(Unknown
> >> Source)
> >> > Truncated. see log file for complete stacktrace
> >> >
> >> >
> >> > Below is the Web.xml:
> >> >
> >> > <web-app>
> >> > <display-name>SDDWeb</display-name>
> >> > <context-param>
> >> > <param-name>Owasp.CsrfGuard.Config</param-name>
> >> > <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
> >> > </context-param>
> >> > <context-param>
> >> > <param-name>Owasp.CsrfGuard.Config.Print</param-name>
> >> > <param-value>true</param-value>
> >> > </context-param>
> >> > <listener>
> >> > 
> <listener-class>org.owasp.csrfguard.CsrfGuardListener</listener-class>
> >> > </listener>
> >> >
> >> >
> >> > <filter>
> >> > <filter-name>CSRFGuard</filter-name>
> >> > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> >> > </filter>
> >> > <filter-mapping>
> >> > <filter-name>CSRFGuard</filter-name>
> >> > <url-pattern>/*</url-pattern>
> >> > </filter-mapping>
> >> >
> >> >
> >> > <filter>
> >> > <filter-name>SessionFilter</filter-name>
> >> > <filter-class>com.sig.sdd.ui.utils.SddSessionFilter</filter-class>
> >> > <init-param>
> >> > <param-name>findSessionAttribute</param-name>
> >> > <param-value>user</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>message</param-name>
> >> > <param-value>error.session.expired</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>notFoundFoward</param-name>
> >> > <param-value>/sdd.do</param-value>
> >> > </init-param>
> >> > </filter>
> >> > <filter-mapping>
> >> > <filter-name>SessionFilter</filter-name>
> >> > <url-pattern>*.jsp</url-pattern>
> >> > </filter-mapping>
> >> > <filter-mapping>
> >> > <filter-name>SessionFilter</filter-name>
> >> > <url-pattern>*.do</url-pattern>
> >> > </filter-mapping>
> >> > <listener>
> >> > <listener-class>
> >> > com.sig.sdd.ui.utils.ReceiptListener
> >> > </listener-class>
> >> > </listener>
> >> > <listener>
> >> >
> >> 
> <listener-class>com.sig.sdd.ui.utils.DynaContentInitListener</listener-class>
> >> > </listener>
> >> > <servlet>
> >> > <servlet-name>action</servlet-name>
> >> > <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
> >> > <init-param>
> >> > <param-name>config</param-name>
> >> > <param-value>/WEB-INF/struts-config.xml</param-value>
> >> > </init-param>
> >> > <load-on-startup>1</load-on-startup>
> >> > </servlet>
> >> > <!-- Action Servlet Mapping -->
> >> > <servlet-mapping>
> >> > <servlet-name>action</servlet-name>
> >> > <url-pattern>*.do</url-pattern>
> >> > </servlet-mapping>
> >> > <servlet>
> >> > <servlet-name>AddressBook</servlet-name>
> >> > 
> <servlet-class>com.eXtropia.app.servlet.ExtropiaServlet</servlet-class>
> >> > <init-param>
> >> > <param-name>ConfigFile</param-name>
> >> > <param-value>/WEB-INF/addressbook.xml</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>Reloadable</param-name>
> >> > <param-value>true</param-value>
> >> > </init-param>
> >> > <display-name>AddressBook</display-name>
> >> > </servlet>
> >> > <servlet-mapping>
> >> > <servlet-name>AddressBook</servlet-name>
> >> > <url-pattern>AddressBook</url-pattern>
> >> > </servlet-mapping>
> >> > <servlet>
> >> > <servlet-name>JavaScriptServlet</servlet-name>
> >> >
> >> 
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> >> > <init-param>
> >> > <param-name>source-file</param-name>o
> >> > <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>inject-into-forms</param-name>
> >> > <param-value>true</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>inject-into-attributes</param-name>
> >> > <param-value>true</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>domain-strict</param-name>
> >> > <param-value>false</param-value>
> >> > </init-param>
> >> > <init-param>
> >> > <param-name>referer-pattern</param-name>
> >> > <param-value>.*localhost.*</param-value>
> >> > </init-param>
> >> > </servlet>
> >> >
> >> > <servlet-mapping>
> >> > <servlet-name>JavaScriptServlet</servlet-name>
> >> > <url-pattern>/JavaScriptServlet</url-pattern>
> >> > </servlet-mapping>
> >> > <!-- The Welcome File List -->
> >> > <welcome-file-list>
> >> > <welcome-file>index.jsp</welcome-file>
> >> > </welcome-file-list>
> >> > <!-- Application Tag Library Descriptor -->
> >> > <taglib>
> >> > <taglib-uri>/WEB-INF/app.tld</taglib-uri>
> >> > <taglib-location>/WEB-INF/app.tld</taglib-location>
> >> > </taglib>
> >> > <!-- Struts Tag Library Descriptors -->
> >> > <taglib>
> >> > <taglib-uri>/WEB-INF/struts-bean.tld</taglib-uri>
> >> > <taglib-location>/WEB-INF/struts-bean.tld</taglib-location>
> >> > </taglib>
> >> > <taglib>
> >> > <taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
> >> > <taglib-location>/WEB-INF/struts-html.tld</taglib-location>
> >> > </taglib>
> >> > <taglib>
> >> > <taglib-uri>/WEB-INF/struts-logic.tld</taglib-uri>
> >> > <taglib-location>/WEB-INF/struts-logic.tld</taglib-location>
> >> > </taglib>
> >> >
> >> > <taglib>
> >> > <taglib-uri>/view-taglib</taglib-uri>
> >> > <taglib-location>/WEB-INF/view.tld</taglib-location>
> >> > </taglib>
> >> > <taglib>
> >> > <taglib-uri>/webdb-taglib</taglib-uri>
> >> > <taglib-location>/WEB-INF/webdb.tld</taglib-location>
> >> > </taglib>
> >> > <taglib>
> >> > <taglib-uri>/auth-taglib</taglib-uri>
> >> > <taglib-location>/WEB-INF/auth.tld</taglib-location>
> >> > </taglib>
> >> >
> >> > <session-config>
> >> > <session-timeout>30</session-timeout>
> >> > </session-config>
> >> > <error-page>
> >> > <error-code>404</error-code>
> >> > <location>error.jsp</location>
> >> > </error-page>
> >> > <error-page>
> >> > <error-code>500</error-code>
> >> > <location>error.jsp</location>
> >> > </error-page>
> >> > </web-app>
> >> >
> >> >
> >> > Any ideas?
> >> >
> >> > Thanks in advance.
> >> >
> >> > Steve
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Owasp-csrfguard mailing list
> >> > Owasp-csrfguard at lists.owasp.org 
> <mailto:Owasp-csrfguard at lists.owasp.org>
> >> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >>
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL:
> >> 
> https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110826/3f1aadb7/attachment.html
> >>
> >> ------------------------------
> >>
> >> _______________________________________________
> >> Owasp-csrfguard mailing list
> >> Owasp-csrfguard at lists.owasp.org 
> <mailto:Owasp-csrfguard at lists.owasp.org>
> >> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >>
> >>
> >> End of Owasp-csrfguard Digest, Vol 14, Issue 8
> >> **********************************************
> >>
>
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110829/88433650/attachment-0001.html 


More information about the Owasp-csrfguard mailing list