[Owasp-csrfguard] can't get it to work

ray at allthisisthat.com ray at allthisisthat.com
Tue Jul 16 22:30:19 UTC 2013



You Rule!  It does indeed work, but now all my requests for images, css, etc all fail with missing token messages.  I tried adding the config property org.owasp.csrfguard.Ajax=true, but this makes no difference.  I still get a ton of messages like: Potential Cross-Site
Request Forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/img/sort_down.gif, error:required token is missing from the request).  What am I missing now?  Any ideas?
Also, I am now leaving the login page unprotected, which can't be a very good
idea.  Is there a better method using the NewTokenLandingPage?  I still have that config setting, but it never goes there.  Should the NewTokenLandingPage redirect to the login page, or what does it do?  There isn't much discussion of this in the documentation,
AFAIK.
Thanks very much for the help so far - there was some danger of me going berserk, which is now receding into the distance.
- Ray Clough
 

---------------------------- Original Message ----------------------------

Subject: RE: [Owasp-csrfguard] can't get it to work

From: "Tom Barber" 

Date: Tue, July 16, 2013 2:30 pm

To: ray at allthisisthat.com

owasp-csrfguard at lists.owasp.org

--------------------------------------------------------------------------



{C}<style type="text/css">
-></style>


	
		Hi Ray, I’m not
certain this is the case, but I believe I know the problem. If you look at the comments above the unprotected section of the property files the options it gives you are: # Case 1: exact match between request uri and
unprotected page# Case 2: longest path prefix match, beginning / and ending /*# Case 3: extension match, beginning *.# Default: requested resource must be validated by
CSRFGuard In your case you seem to have used wildcard in an unsupported manner “/login*” . Perhaps you could specify the exact uri
“drbms/login.seam” Let me know if you have any luck. Thanks Tom From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of ray at allthisisthat.com
		Sent: 16 July 2013 21:44

		To: owasp-csrfguard at lists.owasp.org

		Subject: [Owasp-csrfguard] can't get it to work 
I am unable to get the CsrfGuard filter to work.  Regardless of the properties I set, the app tries to go to the login page, and I get this log message:
[Tue Jul 16 13:08:38 PDT
2013] [Error] Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/drbms/login.seam, error:required token is missing from the request)
Obviously I am doing something wrong.  Here is my configuration
file
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
		org.owasp.csrfguard.UseNewTokenLandingPage=true

		org.owasp.csrfguard.NewTokenLandingPage=/NewTokenLandingPage.html

		org.owasp.csrfguard.TokenPerPage=true

		org.owasp.csrfguard.TokenPerPagePrecreate=false

		org.owasp.csrfguard.Ajax=false

		org.owasp.csrfguard.unprotected.Index=/login*

		org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log

		org.owasp.csrfguard.action.Log.Message=Potential Cross-Site Request Forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

		org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

		org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN

		org.owasp.csrfguard.TokenLength=32

		org.owasp.csrfguard.PRNG=SHA1PRNG
When the server starts, I see the config properties output to the console, so I know the config file is being read correctly.
I have tried various combinations of using a NewTokenLandingPage with the login page protected, and un-protecting the login
page but not using a New Token Landing Page.  Also, I have seen no info on what the New Token Landing Page needs to do - If I can ever get it to appear, my guess is that it needs to redirect to the login page.  Is that correct?  Also, all the examples use jsp, not facelets.  Are
there any issues with this difference?  I built the project from source using the latest code.
Any help you could offer would be greatly appreciated.
 
Thank you,
Ray Clough
 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130716/b38a4b30/attachment-0001.html>


More information about the Owasp-csrfguard mailing list