[Owasp-germany] CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39

Singh, Jagmeet (EXTERN: FISS) Jagmeet.Singh-ext at man.eu
Wed Feb 10 09:00:54 UTC 2016


***Sending the mail chains attachment failed (Read from below to top) :

-----Original Message-----
From: owasp-germany-bounces at lists.owasp.org [mailto:owasp-germany-bounces at lists.owasp.org] On Behalf Of Singh, Jagmeet (EXTERN: FISS)
Sent: 10 February 2016 09:35
To: Owasp-germany at lists.owasp.org
Subject: [Owasp-germany] CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39

Hello OWASP Germany team members,

Greetings.
I am currently facing an issue with CSRF guard 3.0.0 implementation on Websphere Application Server 7.0.0.39.
I have already contacted OWASP site and was able to get a response from Azzedine Ramrami.
The details of the problem are in the mail attached.
The problem is still unsolved.
Currently I am working in Munich, Germany.
I have websphere setup on my system.
I was just hoping if I can get some help to resolve my issue.
I would be very thankful if anyone can give me any pointers related to this based on past experience.


Thanks and Regards,
Jagmeet Singh Granthi
Group IT RCC -MAN FISS

Volkswagen Group India
Embassy Techzone, 9th Floor - 'B Wing', Congo Building
Rajiv Gandhi Infotech Park, Hinjewadi - Ph II, Pune-411 057

Mobile: (+91) 9923 141 141
Phone:  (+91) 20 3915 7174
www.volkswagen.co.in<http://www.volkswagen.co.in/>


Mail Chain :-

Hi Azzeddine 

Thank you for your time and quick responses.

On Feb 9, 2016, at 5:12 AM, Azzeddine Ramrami <azzeddine.ramrami at owasp.org> wrote:
I will try to connect you with some one in a US company who implemented CSFRGuard with Websphere.
For this project we have only one Mailing List. I don't knew OWASP Germany mail list ?
For support I don't deliver any support because we don't have a time and we don't have the budget to do it.
A lot of company are using CSRFGuard in there products without supporting the project.  So If you don't get reply immediately don't complain you will get an answer from community on best effort basis and volunteer availability.
Reagrds,
Azzeddine



On Tue, Feb 9, 2016 at 9:06 AM, Singh, Jagmeet (EXTERN: FISS) <Jagmeet.Singh-ext at man.eu> wrote:
Hi,
 
Greetings for the day.
First of all thanks so much for the reply.
I will use the latest version of CSRFGuard and try once.
 
I found mails on OWASP site about CSRFGuard implementation with Websphere tried before as well.
But I don't know whether it was implemented successfully or not.
Example :
http://lists.owasp.org/pipermail/owasp-csrfguard/2014-April/000300.html
It will be good if someone from some other company has implemented it earlier.
 
As I am currently working in Munich,Germany can you please cc  OWASP Germany mail list ?
I already tried subscribing to their list but it failed.
It will help me contact them and meet them as I have websphere setup on my laptop so that they can at least analyse the problem.
 
By the time if I get any success, I'll definitely share it with you guys.
 
Thanks again.
Have a nice day.
Regards,
Jagmeet Singh Granthi
 
From: Azzeddine Ramrami [mailto:azzeddine.ramrami at owasp.org] 
Sent: 08 February 2016 21:15
To: Singh, Jagmeet (EXTERN: FISS)
Cc: Claudia Casanovas; Sebastien Gioria
Subject: Re: FW: CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39
 
Just please use the last version of CSFRGuard is it 3.1.0.
You can download it from OWASP CSFRGuard website or from Maven Central.
Regards,
Azzeddine
 
On Mon, Feb 8, 2016 at 8:57 PM, Azzeddine Ramrami <azzeddine.ramrami at owasp.org> wrote:
Hi,
As CSFRGuard Project leader it will be difficult to deliver any support about WebSphere CSRFGuard implementation for several reasons:
- We have no support service. All support is done by community via Github.
- We don't have a WS license to setup a PoC 
- We don't have a budget and resources to do that

Sorry for that.
I will some one from a complany that already implemented CSFRGuard with WebSphere if they can help and give advice.
Azzeddine
 
On Mon, Feb 8, 2016 at 4:05 PM, Claudia Casanovas <claudia.aviles-casanovas at owasp.org> wrote:
HI Jagmeet,
 
We will make the best efforts to get a response.  
 
Thank you
Claudia
 
On Mon, Feb 8, 2016 at 6:38 AM, Singh, Jagmeet (EXTERN: FISS) <Jagmeet.Singh-ext at man.eu> wrote:
Hey Claudia,
 
Thanks for forwarding my issue to Azzedine.
I had mailed the whole team earlier but didn't get any response from them.
May be I didn't approached them the correct way.
Hope at least someone has faced this issue earlier so that I can get some pointers to resolve this.
Thanks a lot again for your help.
 
Regards,
Jagmeet Singh Granthi
 
From: Singh, Jagmeet (EXTERN: FISS) 
Sent: 04 February 2016 11:35
To: 'Sebastien Gioria'; 'azzeddine.ramrami at owasp.org'; 'ahamednafeez at gmail.com'; 'trent.schmidt at gmail.com'
Subject: RE: CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39
 
Hello Team,
 
While browisng on OWASP forum, i found that the project leader had previously worked on this issue :-
 
http://lists.owasp.org/pipermail/owasp-csrfguard/2014-April/000300.html
 
 
Can anyone please ask him to reply to my mail at least.
I don't think he has even seen this.
I am trying hard but I cannot get a solution to this.
 
Still stuck with no JCEProvider issue :-
 
SEVERE: Exception sending context initialized event to listener instance of class org.owasp.csrfguard.CsrfGuardServletContextListener
java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: IBMJCE
 
Regards,
Jagmeet Singh Granthi
 
From: Singh, Jagmeet (EXTERN: FISS) 
Sent: 03 February 2016 12:32
To: 'Sebastien Gioria'; azzeddine.ramrami at owasp.org; ahamednafeez at gmail.com; trent.schmidt at gmail.com
Subject: RE: CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39
 
Hi,
 
I have been trying hard since a week.
Uptill now I don't have any solutions to this.
Anyways, in case anyone of you or your other team members have any pointers please let me know.
In case I find a solution I'll be glad to contribute to your project as well.
Thanks for the reply.
 
Regards,
Jagmeet Singh Granthi
 
From: Sebastien Gioria [mailto:sebastien.gioria at owasp.org] 
Sent: 03 February 2016 12:12
To: azzeddine.ramrami at owasp.org; ahamednafeez at gmail.com; Singh, Jagmeet (EXTERN: FISS); trent.schmidt at gmail.com
Subject: RE: CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39
 
I m sorry, but could not Hell you as i dont have access to any websphere to reproduce
--
Sébastien Gioria +33(0)6 70 59 11 44
https://www.linkedin.com/in/gioria - https://twitter.com/Spoint
Expert judiciaire informatique près la Cour d'Appel de Poitiers 
OWASP French Leader
 
 
On Wed, Feb 3, 2016 at 2:31 AM -0800, "Singh, Jagmeet (EXTERN: FISS)" <Jagmeet.Singh-ext at man.eu> wrote:
Hi team,
 
Please help me on the below matter..i am really stuck and don't have any more work arounds to solve this issue with Websphere.
 
Regards,
Jagmeet Singh Granthi
 
From: Singh, Jagmeet (EXTERN: FISS) 
Sent: 02 February 2016 12:58
To: 'azzeddine.ramrami at owasp.org'; 'sebastien.gioria at owasp.org'
Subject: CSRF guard 3.0.0 implementation Successfull with Tomcat but failing with Websphere Application Server 7.0.0.39
 
Hello CSRFGuard team members,
 
Greetings for the day.
I am currently working with CSRFGuard as a security implementation for one of the applications.
When I installed CSRFGuard 3.0.0 using Tomcat as a server it worked perfectly fine.
However when I tried using Websphere Application Server 7.0.0.39, it initially threw a null pointer exception  (Attached file NullPointerSessionIssue)
Later I searched on the internet if anyone faced such issue earlier, I found that the following properties were required while using Websphere :-
 
From: org.owasp.csrfguard.PRNG=SHA1PRNG
> To: org.owasp.csrfguard.PRNG=IBMSecureRandom
> ---
> From: org.owasp.csrfguard.PRNG.Provider=SUN
> To: org.owasp.csrfguard.PRNG.Provider=IBMJCE
 
Configured these and tried again. But I never changed any content of csrfguard-3.0.0.jar.
But it threw a run time exception again.(Attached file JCEProviderIssue).
 
I have already spent some time trying to get the correct configuration. It would be very kind of you if you can help me out here.
Please let me know the complete configuration required in CSRF properties file,csrfguard.js and /or also on Websphere server (if any).
If you have a document or any work around related to this issue, it would prove very helpful.
 
P.S :-
I have already referred many links on internet two of them are mentioned below:-
 
http://lists.owasp.org/pipermail/owasp-csrfguard/2013-March/000193.html
 
http://lists.owasp.org/pipermail/owasp-csrfguard/2014-January/000272.html
 
 
Thanks and Regards,
Jagmeet Singh Granthi
Group IT RCC -MAN FISS
 
Volkswagen Group India
Embassy Techzone, 9th Floor - 'B Wing', Congo Building
Rajiv Gandhi Infotech Park, Hinjewadi - Ph II, Pune-411 057
 
Mobile: (+91) 9923 141 141
Phone:  (+91) 20 3915 7174
www.volkswagen.co.in
 




More information about the Owasp-germany mailing list