You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "James Yong (Jira)" <ji...@apache.org> on 2019/12/08 07:50:00 UTC
[jira] [Created] (OFBIZ-11306) POC for CSRF Token
James Yong created OFBIZ-11306:
----------------------------------
Summary: POC for CSRF Token
Key: OFBIZ-11306
URL: https://issues.apache.org/jira/browse/OFBIZ-11306
Project: OFBiz
Issue Type: Improvement
Components: ALL APPLICATIONS
Affects Versions: Upcoming Branch
Reporter: James Yong
Assignee: James Yong
Fix For: Upcoming Branch
CRSF tokens are generated using CSRF Guard library and used in:
1) In widget form where a hidden token field is auto-generated.
2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf token field.
3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token to X-CSRF-Token in request header.
CSRF tokens are stored in the user sessions, and verified during POST request.
A new attribute i.e. csrf-token is added to the security tag to exempt CSRF token check.
Certain request path, like LookupPartyName, can be exempt from CSRF token check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)