Re: JSecurity and CSRF

[Peter Ledbrook <pe...@cacoethes.co.uk>]

> Yep, just read that.  If that is the case, this is an incredibly easy
> fix for non-ajax situations:
>
> 1.  Create a <jsec:sessionId/> tag that prints out a hidden field:
> <input type="hidden" name="JSESSIONID"
> value="runtime_session_id_value"/>
> 2.  Create a Filter implementation that checks the following:
>
> Is there a 'JSESSIONID' parameter in the current request?
> - Yes: does it match a previously set Cookie named JSESSIONID?
>    - Yes: request is valid, let it through
>    - No: potential CSRF attack, show access denied view
> - No: no JSESSIOND parameter - let the request through as normal.
>
> 3.  Add this to the jsecurity [urls] definition:
> /** = antiCsrf

Has this been implemented? I'm contemplating adding CSRF protection in
the Grails plugin via a <jsec:form/> tag, but if it's in JSecurity
core, I'll go with that.

Cheers,

Peter

PS I won't be adding anything for a month or two yet :) I'm just
reading up on OWASP and CWE for my security chapter.
PPS Graeme/Jeff cover JSecurity in the Definitive Guide to Grails 2nd edition

Re: JSecurity and CSRF

[Peter Ledbrook <pe...@cacoethes.co.uk>]

> Nope it hasn't been implemented - it got lost through the cracks because we
> didn't create an issue for it.  Could you please add one to Jira?  This
> would be useful!  It should be in JSecurity core for sure, and we can make
> sure it gets into 1.0

https://issues.apache.org/jira/browse/JSEC-48

> Would you be able to help implement this in conjunction with your Grails
> effort?  If not, feel free to outline what you need in the issue so we can
> use that to help direct us how to go about the implementation.

Not yet, no. The plugin won't be receiving much love for another month
probably. Book is going for final review next week, and then we have a
few more weeks of manic corrections and adding stuff, while also
trying to get the chapters into production. Fun :)

Cheers,

Peter

Re: JSecurity and CSRF

[Les Hazlewood <lh...@apache.org>]

Hi Peter,

Nope it hasn't been implemented - it got lost through the cracks because we
didn't create an issue for it.  Could you please add one to Jira?  This
would be useful!  It should be in JSecurity core for sure, and we can make
sure it gets into 1.0

Would you be able to help implement this in conjunction with your Grails
effort?  If not, feel free to outline what you need in the issue so we can
use that to help direct us how to go about the implementation.

Cheers,

Les

On Fri, Jan 23, 2009 at 6:54 AM, Peter Ledbrook <pe...@cacoethes.co.uk>wrote:

> > Yep, just read that.  If that is the case, this is an incredibly easy
> > fix for non-ajax situations:
> >
> > 1.  Create a <jsec:sessionId/> tag that prints out a hidden field:
> > <input type="hidden" name="JSESSIONID"
> > value="runtime_session_id_value"/>
> > 2.  Create a Filter implementation that checks the following:
> >
> > Is there a 'JSESSIONID' parameter in the current request?
> > - Yes: does it match a previously set Cookie named JSESSIONID?
> >    - Yes: request is valid, let it through
> >    - No: potential CSRF attack, show access denied view
> > - No: no JSESSIOND parameter - let the request through as normal.
> >
> > 3.  Add this to the jsecurity [urls] definition:
> > /** = antiCsrf
>
> Has this been implemented? I'm contemplating adding CSRF protection in
> the Grails plugin via a <jsec:form/> tag, but if it's in JSecurity
> core, I'll go with that.
>
> Cheers,
>
> Peter
>
> PS I won't be adding anything for a month or two yet :) I'm just
> reading up on OWASP and CWE for my security chapter.
> PPS Graeme/Jeff cover JSecurity in the Definitive Guide to Grails 2nd
> edition
>