[Owasp-csrfguard] Query on CSRFGuard and usage in IBM Websphere 6.1

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Wed Jan 8 20:02:13 UTC 2014


Hi Erwin,
Is this OK for you to add your installation steps on the CSRFGuard wiki
project ?
I will install a complete WS environnement to tests each steps.
Regards,
Azzeddine


On Tue, Jan 7, 2014 at 9:10 PM, Erwin, Christy L <Christy.L.Erwin at boeing.com
> wrote:

> Hello Ragha,
>
> I recently implemented CSRFGuard in an application using IBM WebSphere
> 8.0. There are some changes that need to be made to the code in order to
> get it to work with the WebSphere server. I found that the Installation
> Guide and other documentation on the OWASP site does not address this.
>
> In particular, in the csrfguard.properties file, I had to change the
> org.owasp.csrfguard.PRNG property
> From: org.owasp.csrfguard.PRNG =SHA1PRNG
> To: org.owasp.csrfguard.PRNG=IBMSecureRandom
>
> And in the CsrfGuard.java file, defaults are hard-coded for the following
> two values, which have to be changed for WebSphere servers
> From: org.owasp.csrfguard.PRNG=SHA1PRNG
> To: org.owasp.csrfguard.PRNG=IBMSecureRandom
> ---
> From: org.owasp.csrfguard.PRNG.Provider=SUN
> To: org.owasp.csrfguard.PRNG.Provider=IBMJCE
> ---
>
> Because of the change to the .java file, the code had to be recompiled.
> The OWASP CSRFGuard Install Guide shows how to list the CSRFGuardListener
> class in its example web.xml file. And the CSRFGuard.jar file on my
> company's application security web site contains this class file. But I was
> not able to find this java code anywhere. So instead, I used the
> CsrfGuardServletContextListener and CsrfGuardHttpSessionListener classes,
> and put them in my web.xml as follows:
>     <listener>
>
>  <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
>     </listener>
>     <listener>
>
>  <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
>     </listener>
>
> I would think that it would be possible to put both properties in
> csrfguard.properties and forgo the recompile of the Java code, but I didn't
> try this myself. It would look like this:
> org.owasp.csrfguard.PRNG=IBMSecureRandom
> org.owasp.csrfguard.PRNG.Provider=IBMJCE
>
> This is where info is on these properties for WebSphere:
>
> http://files.jscape.com/secureftpserver/docs/index.html?running_under_ibm_jvm.htm
>
> Since I only needed to protect a couple pages in the application I worked
> on, I found it much simpler to use the provided JSP Tag Library,
> csrfguard.tld, and insert tokens into specific links. For me, this was
> preferable to using the default JavaScript token injection, which for my
> application, which has many links and older and faulty JavaScript code,
> surfaced a lot of previously unseen JS errors.
>
> Feel free to contact me if you have additional questions about CSRFGuard
> in WebSphere.
>
> Christa Erwin
> Programmer/Analyst, Boeing Enterprise Supplier Tools (BEST)
> Mon-Thurs, 8:00 - 4:30 pm
> Work: 425-234-5942
> Cell: 206-427-1787
>
> -----Original Message-----
> From: owasp-csrfguard-bounces at lists.owasp.org [mailto:
> owasp-csrfguard-bounces at lists.owasp.org] On Behalf Of
> owasp-csrfguard-request at lists.owasp.org
> Sent: Thursday, December 26, 2013 4:00 AM
> To: owasp-csrfguard at lists.owasp.org
> Subject: Owasp-csrfguard Digest, Vol 40, Issue 1
>
> Send Owasp-csrfguard mailing list submissions to
>         owasp-csrfguard at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> or, via email, send a message with subject or body 'help' to
>         owasp-csrfguard-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-csrfguard-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Owasp-csrfguard digest..."
>
>
> Today's Topics:
>
>    1. Query on CSRFGuard and usage in IBM Websphere 6.1 (Raghu Vedu)
>    2. Re: Query on CSRFGuard and usage in IBM Websphere 6.1
>       (Azzeddine Ramrami)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: 26 Dec 2013 04:58:27 -0000
> From: "Raghu Vedu" <vedeshwar777 at rediffmail.com>
> To: "owasp-csrfguard at lists.owasp.org"
>         <owasp-csrfguard at lists.owasp.org>
> Subject: [Owasp-csrfguard] Query on CSRFGuard and usage in IBM
>         Websphere 6.1
> Message-ID: <20131226045827.26979.qmail at f4mail-235-197.rediffmail.com>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> Hi,
>  
> I am trying to use the source from
> https://github.com/esheri3/OWASP-CSRFGuard and my need is to use the
> library in web application using IBM Websphere 6.1 server.
>  
> I am seeing it is written for Maven, so please let me know if IBM
> websphere based project is also available.
>  
> I am bit new to this, so please let me know the feasibility of using the
> CSRFguard in IBM server.
>  
> Thanks
> Ragha
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131226/9a1ded72/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Thu, 26 Dec 2013 09:08:24 +0100
> From: Azzeddine Ramrami <azzeddine.ramrami at owasp.org>
> To: Raghu Vedu <vedeshwar777 at rediffmail.com>
> Cc: "owasp-csrfguard at lists.owasp.org"
>         <owasp-csrfguard at lists.owasp.org>
> Subject: Re: [Owasp-csrfguard] Query on CSRFGuard and usage in IBM
>         Websphere       6.1
> Message-ID:
>         <
> CAL4seLGp93CD61jEh8HTYxmBZiN3yqG871Jwf+xz9qO8G2Sz9A at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Dear Sir,
> I ma the Leader of this project.
> You can use the CSRFGuard library with IBM WS as JavaEE filter.
>
> OWASP CSRFGuard utilizes request tokens to address Cross-Site Request
> Forgery.  CSRF is an attack where the victim is tricked into interacting
> with a website where they are already authenticated.
> CSRFGuard Provides code to generate unique request tokens to mitigate CSRF
> risks.
>
> You can integrate the source code using you own method (if you don't use
> Maven).
>
> The following link show how to integrate CSRFGuard with you application :
>
> https://www.owasp.org/index.php/CSRFGuard_3_Installation
>
> If you have any question contact me.
> Regards,
> Azzeddine RAMRAMI
>
>
>
> On Thu, Dec 26, 2013 at 5:58 AM, Raghu Vedu <vedeshwar777 at rediffmail.com
> >wrote:
>
> >
> >
> >  Hi,
> >
> >
> >
> > I am trying to use the source from
> > https://github.com/esheri3/OWASP-CSRFGuard<https://mail.cognizant.com/
> > owa/redir.aspx?C=gctwdUlqRE6Dy9yipRCHDBaTrkSO1dAITOgP44EdTmawQQ3YMLYMT
> > Ok3pVLoRqRK1yF4wY8ha-4.&URL=https%3a%2f%2fgithub.com%2fesheri3%2fOWASP
> > -CSRFGuard>and my need is to use the library in web application using
> > IBM Websphere
> > 6.1 server.
> >
> >
> >
> > I am seeing it is written for Maven, so please let me know if IBM
> > websphere based project is also available.
> >
> >
> >
> > I am bit new to this, so please let me know the feasibility of using
> > the CSRFguard in IBM server.
> >
> >
> >
> > Thanks
> >
> > Ragha
> >
> >
> > <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.co
> > m/signatureline.htm at Middle?> Get your own *FREE* website, *FREE*
> > domain & *FREE* mobile app with Company email.
> > *Know More
> > >*<http://track.rediff.com/click?url=___http://businessemail.rediff.co
> > m/company-email-hosting-services?sc_cid=sign-1-10-13___&cmp=host&lnk=s
> > ign-1-10-13&nsrv1=host>
> > _______________________________________________
> > Owasp-csrfguard mailing list
> > Owasp-csrfguard at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
> >
> >
>
>
> --
> Azzeddine RAMRAMI
> +33 6 65 48 90 04.
> Enterprise Security Architect
> OWASP Leader (Morocco Chapter)
> Mozilla Security Projects Mentor
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20131226/a1922fc9/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>
> End of Owasp-csrfguard Digest, Vol 40, Issue 1
> **********************************************
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>



-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140108/5b2146c5/attachment.html>


More information about the Owasp-csrfguard mailing list