[Owasp-csrfguard] CSRFGuard problem
Barber, Thomas X
thomas.x.barber at jpmorgan.com
Tue Jul 23 08:29:25 UTC 2013
I’m not very familiar with the issue you are facing, but is it possible that on an exception the seam error handling tries to redirect to a page that isn’t defined as being “unprotected” which would cause CSRFGuard verification to fail constantly in a loop? If you are redirecting to a page in seam can you try defining it as being unprotected?
Tom Barber | Application Developer GFS - Technology | Corporate & Investment Bank (CIB) | J.P. Morgan, Chaseside - Hampshire Building, Floor 2, Bournemouth BH7 7DA, United Kingdom | T:+44 (0)1202 320097 | thomas.X.barber at jpmorgan.com<mailto:thomas.x.barber at jpmorgan.com>
From: owasp-csrfguard-bounces at lists.owasp.org [mailto:owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of ray at allthisisthat.com
Sent: 23 July 2013 00:52
To: owasp-csrfguard at lists.owasp.org
Subject: [Owasp-csrfguard] CSRFGuard problem
I have added CSRFGuard to an existing project which is based on JSF using Seam 2.2. My initial testing was very positive, until I started testing use cases which generated exceptions. What I am finding is that Seam (or JSF) error handling is being interfered with by CSRFGuard. As a result, I can get into a situation where the app is frozen, and you can't even call up the app from a new tab with the login url. I have to restart the server in order to get any pages to work. The only thing I have found which allows me to proceed is to invalidate the session when any potential CSRF attack is detected, by using the configuration option: "org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate". Of course, this is extremely unfriendly, as the user is suddenly returned to the login page with no warning or message about why.
I tried to configure an error page to redirect to by using:
but even this doesn't work as the conflict between Seam and CSRFGuard prevents the redirect from being processed. Basically, Seam is stuck in error mode, and there is nothing I have been able to do about it.
Does anyone have any suggestions? Has anyone else had a similar problem? I'm sure that there could equally well be conflicts with other frameworks besides JSF with Seam. I am about to remove CSRFGuard and use Seam's s:token tag to protect the POST requests - which, of course, leaves GET unprotected. I'd really rather not get into that, if there is some clever configuration I could use which would enable me to continue to use CSRFGuard.
Thanks in advance,
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-csrfguard