Question & Answer
Question
Cross-Site Request Forgery (CSRF) filter Configuration.
Answer
Introduction:
Cross-Site Request Forgery (CSRF) can be prevented by configuring a servlet filter that invalidates the current session when it detects a potential CSRF request. CSRF is introduced in release 8.0.1. To implement CSRF for earlier versions, contact the MCS product support team.
The implementation does the following
- A secondary id is constructed from the session id and is appended to the URL for all possible incoming requests. This is called the "Append Stage"
- All incoming request are checked for the secondary id. If secondary id is missing or invalid, then the request is rejected. This is called the "Validate Stage"
Configuring the CSRF filter:
- Place the cmgt-csrfFilter.jar in the /WEB-INF/lib directory.
- Edit the WEB-INF/ web.xml file to include the following:
- Add filter declaration: go to the section that has the filter definitions, add the following block
<filter>
<filter-name>
CSRFFilter</filter-name>
<filter-class>com.comergent.filter.csrf.CSRFFilter</filter-class>
</filter>
- Add the following init-parameters
<init-param>
<param-name>noop</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>checkOnly</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
- Add filter mapping: go to the section that has the filter mappings
Add this first on the "DispatchServlet" filter-mapping.
<filter-mapping>
<filter-name>CSRFFilter</filter-name>
<servlet-name>DispatchServlet</servlet-name>
</filter-mapping>
Add this first on the "NoCacheDispatchServlet" filter-mapping.
<filter-mapping>
<filter-name>CSRFFilter</filter-name>
<servlet-name>NoCacheDispatchServlet</servlet-name>
</filter-mapping>
Parameters:
- noop
When noop is enabled i.e. set to 'true', the filter will pass the request through without performing URL writing and checking. This mode is useful if you wish to quickly disable the filter to see a suspected problem might be related to this filter or not. The default value of this parameter is 'false' - checkOnly
When checkOnly is set to 'true', the filter will log the invalid secondary id condition in the debs.log but will continue as if there was no error. The default value of this parameter is 'false'.
- noCheckList
The filter can be configured to ignore secondary id check for a set of messageTypes. The list is in comma-separated format. Use the noCheckList option with care. JSP associated with these 'allowlist' commands should be doubly-reviewed to ensure that they don't contain any known holes (in particular those related to cross-site scripting).
Debugging:
To enable debug, add to log4j.properties
log4j.logger.com.comergent.filter.csrf=DEBUG
Testing:
To simulate bad behavior, issue a URL with bad secondary value like
http://www.company.com:1234/Comergent/en/US/matrix;i=bad
Or
http://www.company.com:1234/Comergent/en/US/matrix?..&_xsid=bad..
The following log entries can be found:
2008.03.26 11:06:58:057 Env/http-8090-1:WARN:CSRFFilter CSRF bad value=
2008.03.26 11:06:58:057 Env/http-8090-1:WARN:CSRFFilter CSRF check failed, will invalidate current session.
Historical Number
FAQ2926
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21519893