[Owasp-csrfguard] CSRF Token not appearing in JSF form.

Arvind arvind.doraiswamy at gmail.com
Sat Jan 11 03:38:40 UTC 2014

I'm running the Java EE7 SDK on Glassfish and using Firefox latest version
on Ubuntu to test my sample application.

I downloaded CSRFGuard 3.0.0 from Git, built it and copied the JAR into the
Glassfish lib directory. Read all the documentation, configured web.xml and
the csrfguard properties file as directed.

Following that I built and ran the csrfguard-test application which seems
to append the CSRF tokens as configured to forms.

Now I decided to use this in my own application. I edited my application's
web.xml and properties file (exactly similar to the csrfguard-test
application) and restarted Glassfish. For whatever weird reason, the token
does not get appended to a very simple test form which is a POST (receives
a 302) and then a GET. No token anywhere.

Now I'm not sure why this is the case. I know that my environment is okay
as the test app is running, I know the properties file is being read as I
can see the properties show up in the Eclipse console.

Is there anything else apart from copying the JAR over and configuring the
web.xml and properties files that I need to do? Do note I also created a
script folder and copied csrfguard.js into it.

One last point of interest for you guys may be this. I deployed the
csrfguard-test app to Glassfish. Then I deployed my own app. Restarted
Glassfish and accessed the test app. Strangely ..it started picking up the
configuration of MY application..and not it's own properties file from the
WEBINF folder. I had to undeploy my application, for the test app to work
properly. Just thought it might be relevant.

All pointers are appreciated. I must be goofing somewhere..but where..I do
not know :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140110/889a34f3/attachment.html>

More information about the Owasp-csrfguard mailing list