You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@archiva.apache.org by br...@apache.org on 2010/12/15 04:58:25 UTC

svn commit: r1049409 - in /archiva/branches/archiva-1.3.x: archiva-docs/src/site/apt/adminguide/customising-security.apt archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml

Author: brett
Date: Wed Dec 15 03:58:25 2010
New Revision: 1049409

URL: http://svn.apache.org/viewvc?rev=1049409&view=rev
Log:
[MRM-1445] disable referrer check by default

Modified:
    archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt
    archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml

Modified: archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt?rev=1049409&r1=1049408&r2=1049409&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt (original)
+++ archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt Wed Dec 15 03:58:25 2010
@@ -48,3 +48,19 @@ security.policy.password.rule.nowhitespa
  can be found in:
  <<<apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml>>>
 
+* Additional CSRF Prevention
+
+  To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current
+  site.
+
+  <Note:> This is only a generic solution that may prevent some types of attacks but not others. It may cause problems
+  with certain user agents. By default, the check is off.
+
+  To enable the check, change the following configuration value in the <<<struts.xml>>> file in the <<<WEB-INF/classes>>>
+  directory of the web application (2 locations):
+
+----
+<interceptor-ref name="redbackSecureActions">
+  <param name="enableReferrerCheck">false</param>
+</interceptor-ref>
+----
\ No newline at end of file

Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml?rev=1049409&r1=1049408&r2=1049409&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml Wed Dec 15 03:58:25 2010
@@ -42,7 +42,7 @@
           <param name="blocked">externalResult</param>
         </interceptor-ref>
         <interceptor-ref name="redbackSecureActions">
-          <param name="enableReferrerCheck">true</param>
+          <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
         <interceptor-ref name="redbackPolicyEnforcement"/>
         <interceptor-ref name="configuration"/>
@@ -60,7 +60,7 @@
         <interceptor-ref name="defaultStack"/>
         <interceptor-ref name="redbackPolicyEnforcement"/>
         <interceptor-ref name="redbackSecureActions">
-          <param name="enableReferrerCheck">true</param>
+          <param name="enableReferrerCheck">false</param>
         </interceptor-ref>
         <interceptor-ref name="validation">
           <param name="excludeMethods">input,back,cancel,browse</param>