You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by br...@apache.org on 2010/12/15 04:58:25 UTC
svn commit: r1049409 - in /archiva/branches/archiva-1.3.x:
archiva-docs/src/site/apt/adminguide/customising-security.apt
archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
Author: brett
Date: Wed Dec 15 03:58:25 2010
New Revision: 1049409
URL: http://svn.apache.org/viewvc?rev=1049409&view=rev
Log:
[MRM-1445] disable referrer check by default
Modified:
archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt
archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
Modified: archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt?rev=1049409&r1=1049408&r2=1049409&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt (original)
+++ archiva/branches/archiva-1.3.x/archiva-docs/src/site/apt/adminguide/customising-security.apt Wed Dec 15 03:58:25 2010
@@ -48,3 +48,19 @@ security.policy.password.rule.nowhitespa
can be found in:
<<<apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml>>>
+* Additional CSRF Prevention
+
+ To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current
+ site.
+
+ <Note:> This is only a generic solution that may prevent some types of attacks but not others. It may cause problems
+ with certain user agents. By default, the check is off.
+
+ To enable the check, change the following configuration value in the <<<struts.xml>>> file in the <<<WEB-INF/classes>>>
+ directory of the web application (2 locations):
+
+----
+<interceptor-ref name="redbackSecureActions">
+ <param name="enableReferrerCheck">false</param>
+</interceptor-ref>
+----
\ No newline at end of file
Modified: archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml?rev=1049409&r1=1049408&r2=1049409&view=diff
==============================================================================
--- archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml (original)
+++ archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml Wed Dec 15 03:58:25 2010
@@ -42,7 +42,7 @@
<param name="blocked">externalResult</param>
</interceptor-ref>
<interceptor-ref name="redbackSecureActions">
- <param name="enableReferrerCheck">true</param>
+ <param name="enableReferrerCheck">false</param>
</interceptor-ref>
<interceptor-ref name="redbackPolicyEnforcement"/>
<interceptor-ref name="configuration"/>
@@ -60,7 +60,7 @@
<interceptor-ref name="defaultStack"/>
<interceptor-ref name="redbackPolicyEnforcement"/>
<interceptor-ref name="redbackSecureActions">
- <param name="enableReferrerCheck">true</param>
+ <param name="enableReferrerCheck">false</param>
</interceptor-ref>
<interceptor-ref name="validation">
<param name="excludeMethods">input,back,cancel,browse</param>