My Quotes


When U were born , you cried and the world rejoiced
Live U'r life in such a way that when you go
THE WORLD SHOULD CRY






Monday, June 23, 2014

Securing EXT-JS from CSRF

  • First, you need to have the JAR part of your WAR (pom.xml changes)

  • 
       org.owasp
       csrfguard
       3.0.0
    
    
  • Next you will need to modify your web.xml to add all the CSRF Servlets, Filters, and Configuration as this all works using standard servlet technology (web.xml changes)

  • 
       Owasp.CsrfGuard.Config   WEB-INF/csrfguard.properties
    
       Owasp.CsrfGuard.Config.Print   true
    
    
       CsrfGuard
       org.owasp.csrfguard.CsrfGuardFilter
    
    
       
       CsrfGuard
       *
    
    
    
       org.owasp.csrfguard.CsrfGuardServletContextListener
    
    
       org.owasp.csrfguard.CsrfGuardHttpSessionListener
    
     
    
       CsrfJavaScriptServlet
       org.owasp.csrfguard.servlet.JavaScriptServlet
       
          source-file      scripts/resources/csrfguard.js   
       
          inject-into-forms      true   
       
          inject-into-attributes      false   
       
          domain-strict      true   
       
          x-requested-with      OWASP CSRFGuard   
    
    
    
       CsrfJavaScriptServlet
       /CsrfJavaScriptServlet
    
    
    

  • Third We need to add the two CSRF files required above to the WAR file. The folder names are in line to what you have described in the web.xml and it is customizable

  • • scripts/resources/csrfguard.js (preferably under webapp\scripts\resources folder)
    • /WEB-INF/csrfguard.properties (should be in your classpath)
    

  • One property that is critical in csrfguard.properties is "org.owasp.csrfguard.Ajax=true"


  • Lastly , in the main ExtJS launch page which is typically /index.html

  •  
       
    

    No comments :