[Owasp-csrfguard] can't get it to work

Tom Barber tom.a.barber at gmail.com
Tue Jul 16 21:30:45 UTC 2013


Hi Ray,

 

I’m not certain this is the case, but I believe I know the problem. If you look at the comments above the unprotected section of the property files the options it gives you are:

 

# Case 1: exact match between request uri and unprotected page

# Case 2: longest path prefix match, beginning / and ending /*

# Case 3: extension match, beginning *.

# Default: requested resource must be validated by CSRFGuard

 

In your case you seem to have used wildcard in an unsupported manner “/login*” . Perhaps you could specify the exact uri “drbms/login.seam”

 

Let me know if you have any luck.

 

Thanks

 

Tom

 

From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of ray at allthisisthat.com
Sent: 16 July 2013 21:44
To: owasp-csrfguard at lists.owasp.org
Subject: [Owasp-csrfguard] can't get it to work

 

I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log message:

[Tue Jul 16 13:08:38 PDT 2013] [Error] Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)

Obviously I am doing something wrong.  Here is my configuration file

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.UseNewTokenLandingPage=true
org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html
org.owasp.csrfguard.TokenPerPage=true
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Ajax=false
org.owasp.csrfguard.unprotected.Index=/login*
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG

When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.

I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login page but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are there any issues with this difference?  I built the project from source using the latest code.

Any help you could offer would be greatly appreciated.

 

Thank you,

Ray Clough

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130716/2d29d98c/attachment.html>


More information about the Owasp-csrfguard mailing list