You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/05 09:30:05 UTC

[ofbiz-framework] 03/03: Implemented: POC for CSRF Token (OFBIZ-11306)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit ba707d45be6b2db77649a5e7695c089c36a0e8c5
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Apr 5 10:48:55 2020 +0200

    Implemented: POC for CSRF Token
    (OFBIZ-11306)
    
    Simple strategy is to rely on SameSite 'strict' value in SameSiteFilter in all
    supported branches. No backport needed with the changes here.
    
    Thanks: James for all the good work we did together :)
---
 framework/security/config/security.properties                    | 9 ++++++---
 .../src/main/java/org/apache/ofbiz/security/CsrfUtil.java        | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index d71f7db..5e195a3 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -156,7 +156,8 @@ security.token.key=security.token.key
 # -- no spaces after commas,no wildcard, can be extended of course...
 host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
-# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed  
+# -- By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
+# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
 SameSiteCookieAttribute=
 
 # -- The cache size for the Tokens Maps that stores the CSRF tokens. 
@@ -174,6 +175,8 @@ csrf.tokenName.nonAjax=
 # -- Default is 3
 csrf.entity.request.limit=
 
-# csrf defense strategy. Default is org.apache.ofbiz.security.CsrfDefenseStrategy if not specified.
-# use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check totally.
+# -- CSRF defense strategy. 
+# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
+# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute
 csrf.defense.strategy=
\ No newline at end of file
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
index 9d400b8..fa31219 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
@@ -61,7 +61,7 @@ public class CsrfUtil {
 
     static {
         try {
-            String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", CsrfDefenseStrategy.class.getCanonicalName());
+            String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", NoCsrfDefenseStrategy.class.getCanonicalName());
             Class<?> c = Class.forName(className);
             strategy = (ICsrfDefenseStrategy)c.newInstance();
         } catch (Exception e){