[Owasp-csrfguard] CSRFGuard problem

ray at allthisisthat.com ray at allthisisthat.com
Tue Jul 23 23:43:58 UTC 2013



Thanks, Tom.  The only solution I could get to work was to make the page a static html page instead of a jsf facelet.  There was just a lot of conflict between the CSRFGuard redirect mechanism and the JSF (Seam) redirect mechanism.  I also had to specify the error page as not
CSRFGuard protected (as you suggested), and had to specify it as "/myapp/CSRFError.html", which puts the context root into the configuration file, which is undesireable, of course.  Eventually, this will be replaced with a token for replacement during the build process.
Thanks
for your help,
Ray Clough
 

---------------------------- Original Message ----------------------------

Subject: RE: [Owasp-csrfguard] CSRFGuard problem

From: "Barber, Thomas X" 

Date: Tue, July 23, 2013 1:29 am

To: "ray at allthisisthat.com" 

"owasp-csrfguard at lists.owasp.org" 

--------------------------------------------------------------------------



<style type="text/css">
-></style>




 

	

	
		

		I’m not very familiar with the issue you are facing, but is it possible that on an exception the seam error handling tries to redirect to a page that isn’t

		defined as being “unprotected” which would cause CSRFGuard verification to fail constantly in a loop? If you are redirecting to a page in seam can you try defining it as being unprotected? Thanks Tom Tom Barber
		| Application Developer

		GFS - Technology | Corporate & Investment Bank (CIB) |

		J.P. Morgan,

		Chaseside - Hampshire Building, Floor 2, Bournemouth BH7 7DA, United Kingdom | T:+44 (0)1202 320097 | 

		thomas.X.barber at jpmorgan.com 		
			

			From: owasp-csrfguard-bounces at lists.owasp.org
[mailto:owasp-csrfguard-bounces at lists.owasp.org]
			On Behalf Of ray at allthisisthat.com

			Sent: 23 July 2013 00:52

			To: owasp-csrfguard at lists.owasp.org

			Subject: [Owasp-csrfguard] CSRFGuard problem
		

		 
I have added CSRFGuard to an existing project which is based on JSF using Seam 2.2.  My initial testing was very positive, until I started testing use cases which generated exceptions.  What I am finding is that Seam (or JSF) error handling is being
interfered
		with by CSRFGuard.  As a result, I can get into a situation where the app is frozen, and you can't even call up the app from a new tab with the login url.  I have to restart the server in order to get any pages to work.  The only thing I have found which allows

		me to proceed is to invalidate the session when any potential CSRF attack is detected, by using the configuration option: "org.owasp.csrfguard.action.Invalidate=org.owasp.csrfguard.action.Invalidate".  Of course, this is extremely unfriendly, as the user is

		suddenly returned to the login page with no warning or message about why.
I tried to configure an error page to redirect to by using:
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect

		org.owasp.csrfguard.action.Redirect.Page=/CSRFError.html
but even this doesn't work as the conflict between Seam and CSRFGuard prevents the redirect from being processed.  Basically, Seam is stuck in error mode, and there is nothing I have been able to do about it.
Does anyone
have any suggestions?  Has anyone else had a similar problem?  I'm sure that there could equally well be conflicts with other frameworks besides JSF with Seam.   I am about to remove CSRFGuard and use Seam's s:token tag to protect the POST requests
		- which, of course, leaves GET unprotected.  I'd really rather not get into that, if there is some clever configuration I could use which would enable me to continue to use CSRFGuard.
Thanks in advance,
Ray Clough

		 
 
	

	


	This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity
disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email. 






 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130723/0ff355c6/attachment.html>


More information about the Owasp-csrfguard mailing list