You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/05 09:30:05 UTC
[ofbiz-framework] 03/03: Implemented: POC for CSRF Token
(OFBIZ-11306)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit ba707d45be6b2db77649a5e7695c089c36a0e8c5
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sun Apr 5 10:48:55 2020 +0200
Implemented: POC for CSRF Token
(OFBIZ-11306)
Simple strategy is to rely on SameSite 'strict' value in SameSiteFilter in all
supported branches. No backport needed with the changes here.
Thanks: James for all the good work we did together :)
---
framework/security/config/security.properties | 9 ++++++---
.../src/main/java/org/apache/ofbiz/security/CsrfUtil.java | 2 +-
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index d71f7db..5e195a3 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -156,7 +156,8 @@ security.token.key=security.token.key
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
-# -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed
+# -- By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
+# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
SameSiteCookieAttribute=
# -- The cache size for the Tokens Maps that stores the CSRF tokens.
@@ -174,6 +175,8 @@ csrf.tokenName.nonAjax=
# -- Default is 3
csrf.entity.request.limit=
-# csrf defense strategy. Default is org.apache.ofbiz.security.CsrfDefenseStrategy if not specified.
-# use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check totally.
+# -- CSRF defense strategy.
+# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
+# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute
csrf.defense.strategy=
\ No newline at end of file
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
index 9d400b8..fa31219 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/CsrfUtil.java
@@ -61,7 +61,7 @@ public class CsrfUtil {
static {
try {
- String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", CsrfDefenseStrategy.class.getCanonicalName());
+ String className = UtilProperties.getPropertyValue("security", "csrf.defense.strategy", NoCsrfDefenseStrategy.class.getCanonicalName());
Class<?> c = Class.forName(className);
strategy = (ICsrfDefenseStrategy)c.newInstance();
} catch (Exception e){