IBM Support

CSRF filter Configuration

Question & Answer


Question

Cross-Site Request Forgery (CSRF) filter Configuration.

Answer

Introduction:

Cross-Site Request Forgery (CSRF) can be prevented by configuring a servlet filter that invalidates the current session when it detects a potential CSRF request. CSRF is introduced in release 8.0.1. To implement CSRF for earlier versions, contact the MCS product support team.

The implementation does the following

  1. A secondary id is constructed from the session id and is appended to the URL for all possible incoming requests. This is called the "Append Stage"
  2. All incoming request are checked for the secondary id. If secondary id is missing or invalid, then the request is rejected. This is called the "Validate Stage"

Configuring the CSRF filter:

  1. Place the cmgt-csrfFilter.jar in the /WEB-INF/lib directory.
  2. Edit the WEB-INF/ web.xml file to include the following:
    1. Add filter declaration: go to the section that has the filter definitions, add the following block
      <filter>
      <filter-name>
      CSRFFilter</filter-name>
      <filter-class>com.comergent.filter.csrf.CSRFFilter</filter-class>
      </filter>
    2. Add the following init-parameters
      <init-param>
      <param-name>noop</param-name>
      <param-value>false</param-value>
      </init-param>
      <init-param>
      <param-name>checkOnly</param-name>
      <param-value>false</param-value>
      </init-param>
      <init-param>
    3. Add filter mapping: go to the section that has the filter mappings

      Add this first on the "DispatchServlet" filter-mapping.
      <filter-mapping>
      <filter-name>CSRFFilter</filter-name>
      <servlet-name>DispatchServlet</servlet-name>
      </filter-mapping>

      Add this first on the "NoCacheDispatchServlet" filter-mapping.
      <filter-mapping>
      <filter-name>CSRFFilter</filter-name>
      <servlet-name>NoCacheDispatchServlet</servlet-name>
      </filter-mapping>

Parameters:
  1. noop
    When noop is enabled i.e. set to 'true', the filter will pass the request through without performing URL writing and checking. This mode is useful if you wish to quickly disable the filter to see a suspected problem might be related to this filter or not. The default value of this parameter is 'false'
  2. checkOnly
    When checkOnly is set to 'true', the filter will log the invalid secondary id condition in the debs.log but will continue as if there was no error. The default value of this parameter is 'false'.
  3. noCheckList
    The filter can be configured to ignore secondary id check for a set of messageTypes. The list is in comma-separated format. Use the noCheckList option with care. JSP associated with these 'allowlist' commands should be doubly-reviewed to ensure that they don't contain any known holes (in particular those related to cross-site scripting).


Debugging:

To enable debug, add to log4j.properties

log4j.logger.com.comergent.filter.csrf=DEBUG

Testing:

To simulate bad behavior, issue a URL with bad secondary value like


http://www.company.com:1234/Comergent/en/US/matrix;i=bad

Or


http://www.company.com:1234/Comergent/en/US/matrix?..&_xsid=bad..

The following log entries can be found:

2008.03.26 11:06:58:057 Env/http-8090-1:WARN:CSRFFilter CSRF bad value=

2008.03.26 11:06:58:057 Env/http-8090-1:WARN:CSRFFilter CSRF check failed, will invalidate current session.

[{"Product":{"code":"SS6PEW","label":"IBM Sterling Order Management"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":"MCS","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1;9.0;8.5;8.0.2;8.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Historical Number

FAQ2926

Document Information

Modified date:
16 June 2018

UID

swg21519893

Page Feedback