You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "James Yong (Jira)" <ji...@apache.org> on 2019/12/08 07:50:00 UTC

[jira] [Created] (OFBIZ-11306) POC for CSRF Token

James Yong created OFBIZ-11306:
----------------------------------

             Summary: POC for CSRF Token
                 Key: OFBIZ-11306
                 URL: https://issues.apache.org/jira/browse/OFBIZ-11306
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL APPLICATIONS
    Affects Versions: Upcoming Branch
            Reporter: James Yong
            Assignee: James Yong
             Fix For: Upcoming Branch


CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field. 
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header. 

CSRF tokens are stored in the user sessions, and verified during POST request.

A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.

Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)