You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pluto-dev@portals.apache.org by "Neil Griffin (JIRA)" <ji...@apache.org> on 2019/04/04 15:43:00 UTC
[jira] [Updated] (PLUTO-768) Introduce CSRF protection for the
ACTION_PHASE via Spring Security
[ https://issues.apache.org/jira/browse/PLUTO-768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Neil Griffin updated PLUTO-768:
-------------------------------
Description:
This feature will add Cross-Site Request Forgery [CSRF|https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)] protection for the {{ACTION_PHASE}} of the portlet lifecycle via Spring Security.
Specifically, it will ensure that the Spring Security {{_csrf}} parameter is added to every {{javax.portlet.ActionURL}} generated by Pluto's portlet container. It will also utilize the "springSecurityFilterChain" in order to verify that the value of the {{_csrf}} parameter is the correct value before invoking the {{ACTION_PHASE}} of the portlet lifecycle.
This feature does *not* secure any other phases of the portlet lifecycle (such as the {{RESOURCE_PHASE}}). It is important to note that if a portlet developer uses an XmlHttpRequest (XHR) to submit a form via HTTP POST with a {{javax.portlet.ResourceURL}}, then it is still incumbent upon the portlet developer to leverage some kind of CSRF protection.
was:
This feature will add Cross-Site Request Forgery [CSRF|https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)] protection for the {{ACTION_PHASE}} of the portlet lifecycle via Spring Security.
Specifically, it will ensure that the Spring Security {{_csrf}} parameter is added to every {{javax.portlet.ActionURL}} generated by Pluto's portlet container. It will also utilize the "springSecurityFilterChain" in order to verify that the value of the {{_csrf}} parameter is the correct value before invoking the {{ACTION_PHASE}} of the portlet lifecycle.
This feature does *not* secure any other phases of the portlet lifecycle (such as the {{RESOURCE_PHASE}}. It is important to note that if a portlet developer uses an XmlHttpRequest (XHR) to submit a form via HTTP POST with a {{javax.portlet.ResourceURL}}, then it is still incumbent upon the portlet developer to leverage some kind of CSRF protection.
> Introduce CSRF protection for the ACTION_PHASE via Spring Security
> ------------------------------------------------------------------
>
> Key: PLUTO-768
> URL: https://issues.apache.org/jira/browse/PLUTO-768
> Project: Pluto
> Issue Type: New Feature
> Components: portal driver, portlet container
> Reporter: Neil Griffin
> Assignee: Neil Griffin
> Priority: Major
> Fix For: 3.0.2
>
>
> This feature will add Cross-Site Request Forgery [CSRF|https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)] protection for the {{ACTION_PHASE}} of the portlet lifecycle via Spring Security.
> Specifically, it will ensure that the Spring Security {{_csrf}} parameter is added to every {{javax.portlet.ActionURL}} generated by Pluto's portlet container. It will also utilize the "springSecurityFilterChain" in order to verify that the value of the {{_csrf}} parameter is the correct value before invoking the {{ACTION_PHASE}} of the portlet lifecycle.
> This feature does *not* secure any other phases of the portlet lifecycle (such as the {{RESOURCE_PHASE}}). It is important to note that if a portlet developer uses an XmlHttpRequest (XHR) to submit a form via HTTP POST with a {{javax.portlet.ResourceURL}}, then it is still incumbent upon the portlet developer to leverage some kind of CSRF protection.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)