[Owasp-csrfguard] can't get it to work

ray at allthisisthat.com ray at allthisisthat.com
Tue Jul 16 20:44:18 UTC 2013



I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log message:
[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:<anonymous>,
ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)
Obviously I am doing something wrong.  Here is my configuration file
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.UseNewTokenLandingPage=true

org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html

org.owasp.csrfguard.TokenPerPage=true

org.owasp.csrfguard.TokenPerPagePrecreate=false

org.owasp.csrfguard.Ajax=false

org.owasp.csrfguard.unprotected.Index=/login*

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log

org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

org.owasp.csrfguard.TokenLength=32

org.owasp.csrfguard.PRNG=SHA1PRNG
When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.
I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login page
but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are there
any issues with this difference?  I built the project from source using the latest code.
Any help you could offer would be greatly appreciated.
 
Thank you,
Ray Clough
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130716/d9af7344/attachment.html>


More information about the Owasp-csrfguard mailing list