[Owasp-csrfguard] context root in config for unprotected, and regex

Chris Hyzer mchyzer at isc.upenn.edu
Mon Oct 14 05:20:34 UTC 2013


A gap I see in using csrf guard in my project is the context root being in the config file.  I would like the same config to be able to be deployed to any context root for the application.  For example:

org.owasp.csrfguard.unprotected.SomePage=/contextRoot/somePage
org.owasp.csrfguard.unprotected.SomeOtherPage=/contextRoot/someOtherPage

I would like to be able to configure instead:

org.owasp.csrfguard.unprotected.SomePage=$$contextRoot$$/somePage
org.owasp.csrfguard.unprotected.SomeOtherPage=$$contextRoot$$/someOtherPage

And have Java figure out the context root (if there even is one), and substitute that in.  For the unprotected pages it would be nice if it supported regex somehow too.  Something like this?  (assume context root is not part of the regex, must be in front)

org.owasp.csrfguard.unprotectedRegex.SomePages=$$contextRoot$$^/somePage.*View.*$

Are these things I could try to code and contribute back to the project?  If so, if there are any guidelines, instructions, or advice please let me know.

Thanks,
Chris


More information about the Owasp-csrfguard mailing list