[Owasp-csrfguard] CSRFGUARD Implementation Configuration Issues...

Lilley Jr, William A wlilleyjr at chubb.com
Tue Jan 24 18:33:28 UTC 2017

Dear OWASP CSRFGuard Mailing List:

Be advised, after obtaining the latest version I could locate (3.1.0) of CSRFGuard from github, I discovered that the correction identified in https://github.com/aramrami/OWASP-CSRFGuard/issues/20 to resolve a ClassNotFoundException at startup was NOT part of the zip file, so I modified the following line in the org.owasp.csrfguard.CsrfGuard.retrieveNewConfig() method (and repackaged the executable JAR):
                              String configurationProviderFactoryClassName = this.properties.getProperty(
                                                            "org.owasp.csrfguard.configuration.provider.factory", PropertiesConfigurationProvider.class.getName());
                              String configurationProviderFactoryClassName = this.properties.getProperty(
                                                            "org.owasp.csrfguard.configuration.provider.factory", PropertiesConfigurationProviderFactory.class.getName());

However, I still ran into ClassLoader difficulties here in the next two lines in the same class/method:
                              Class<ConfigurationProviderFactory> configurationProviderFactoryClass = CsrfGuardUtils.forName(configurationProviderFactoryClassName);

                              ConfigurationProviderFactory configurationProviderFactory = CsrfGuardUtils.newInstance(configurationProviderFactoryClass);

To "quickly" get around this, I then modified these, removing the reflective instantiation:
                              //Class<ConfigurationProviderFactory> configurationProviderFactoryClass = CsrfGuardUtils.forName(configurationProviderFactoryClassName);

                              ConfigurationProviderFactory configurationProviderFactory = new PropertiesConfigurationProviderFactory(); //CsrfGuardUtils.newInstance(configurationProviderFactoryClass);

This in turn brought me to an issue in the org.owasp.csrfguard.config.PropertiesConfigurationProvider.PropertiesConfigurationProvider(Properties) method, whereby I received the "action class  has not yet been specified" exception. After some time spent in debugging this issue, I finally determined that the properties example provided here: https://www.owasp.org/index.php/CSRFGuard_3_Configuration and in the github zip file contains an error, specifically: org.owasp.csrfguard.action.class.Redirect = org.owasp.csrfguard.action.Redirect. After analyzing the code, the ONLY way I could get past this exception was by altering that property entry to: org.owasp.csrfguard.action.Redirect = org.owasp.csrfguard.action.Redirect (removing the .class node).

I am now past the point of initialization of the framework.

Is there a repository with later versions than 3.1.0, which per the documentation, has been reworked and strengthened from 3.0?

[Chubb Logo]

William A. Lilley Jr.
Sr. Technical Analyst, Personal Risk Services IT

202 Halls Mill Road - Building A, White House Station, NJ 08889, USA
O 908-572-2644    M 908-797-5012
E willeyjr at chubb.com<mailto:willeyjr at chubb.com>

[Chubb Insured]

This email (including any attachments) is intended for the designated recipient(s) only, and may be confidential, non-public, proprietary, and/or protected by the attorney-client or other privilege. Unauthorized reading, distribution, copying or other use of this communication is prohibited and may be unlawful. Receipt by anyone other than the intended recipient(s) should not be deemed a waiver of any privilege or protection. If you are not the intended recipient or if you believe that you have received this email in error, please notify the sender immediately and delete all copies from your computer system without reading, saving, printing, forwarding or using it in any manner. Although it has been checked for viruses and other malicious software ("malware"), we do not warrant, represent or guarantee in any way that this communication is free of malware or potentially damaging defects. All liability for any actual or alleged loss, damage, or injury arising out of or resulting in any way from the receipt, opening or use of this email is expressly disclaimed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20170124/f0cf1ea5/attachment.html>

More information about the Owasp-csrfguard mailing list