Skip to main content

url pattern issue - please help me...

1 reply [Last post]
bharathik
Offline
Joined: 2009-11-08

Hello friends,

I'm using a filter for CSRF Cross-site request forgery.
This filter should executed for all actions or for all .do been called.
The application is working separately with filter.

Mapping is done like this in web.xml :

sessionCheck
filterSecurity.FilterSecurityController

config
WEB-INF/csrfguard.properties

sessionCheck
*.do

sessionCheck
action

And i've done SSL setting, for security using apache tomcat.
SSL also working separately. Mapping is given like this in web.xml

All
No Description
/*
GET
POST

USE SSL
INTEGRAL

SSL starts from first page. The problem is when I put SSL and filter both, and when i try to login i.e. when an action is called, filter is not getting executed and its giving page page cannot be displayed. Can u help me in solving this? Any idea? Should I've to change the url-pattern???

Plz help me out...

Thanks in advance
Bharathi

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kesavramesh
Offline
Joined: 2009-12-31

Hi,
First you download OWASP-CSRFGuard-2.2.jar and htmlparser.jar
put this under WEB-INF\lib
copy the CSRFGuard.properties and CSRFGuard.tld into WEB-INF fodler

Decide whether you want to do server-side Token genration or client-side.

then create the entry in the web.xml as follows

CSRFGuard
org.owasp.csrfguard.CSRFGuardFilter

config WEB-INF/CSRFGuard.properties


CSRFGuard
*.jsp


CSRFGuard
action

My case the "action" is the ActionServlet for Struts

action

org.apache.struts.action.ActionServlet

config /WEB-INF/struts-config.xml
1

That's it when you build your environment all your HREF, images, hidden variable in FORM will be generated by CSRF Token.

Here is the sample of the CSRFGuard.properties I use
org.owasp.csrfguard.Debug=true
org.owasp.csrfguard.handler.DefaultHandler=org.owasp.csrfguard.handlers.DefaultHandler
org.owasp.csrfguard.handler.HTMLParserHandler=org.owasp.csrfguard.handlers.HTMLParserHandler
org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.action.class.Log=org.owasp.csrfguard.actions.Log
org.owasp.csrfguard.action.class.Log.Message=Caught a potential CSRF attack from %remote_ip targeting %request_uri with the parameters %request_parameters
org.owasp.csrfguard.action.class.Invalidate=org.owasp.csrfguard.actions.Invalidate
org.owasp.csrfguard.action.class.Redirect=org.owasp.csrfguard.actions.Redirect
org.owasp.csrfguard.action.class.Redirect.ErrorPage=/jsp/failure.jsp

I will be putting all these information into my blog reach2ramesh.blogspot.com soon.