My Quotes


When U were born , you cried and the world rejoiced
Live U'r life in such a way that when you go
THE WORLD SHOULD CRY






Powered by Find-IP.net

Monday, June 23, 2014

Securing EXT-JS from CSRF

  • First, you need to have the JAR part of your WAR (pom.xml changes)

    • 
   org.owasp
   csrfguard
   3.0.0
  • Next you will need to modify your web.xml to add all the CSRF Servlets, Filters, and Configuration as this all works using standard servlet technology (web.xml changes)

    • 
   Owasp.CsrfGuard.Config   WEB-INF/csrfguard.properties

   Owasp.CsrfGuard.Config.Print   true


   CsrfGuard
   org.owasp.csrfguard.CsrfGuardFilter


   
   CsrfGuard
   *



   org.owasp.csrfguard.CsrfGuardServletContextListener


   org.owasp.csrfguard.CsrfGuardHttpSessionListener

 

   CsrfJavaScriptServlet
   org.owasp.csrfguard.servlet.JavaScriptServlet
   
      source-file      scripts/resources/csrfguard.js   
   
      inject-into-forms      true   
   
      inject-into-attributes      false   
   
      domain-strict      true   
   
      x-requested-with      OWASP CSRFGuard   



   CsrfJavaScriptServlet
   /CsrfJavaScriptServlet

  • Third We need to add the two CSRF files required above to the WAR file. The folder names are in line to what you have described in the web.xml and it is customizable

    • • scripts/resources/csrfguard.js (preferably under webapp\scripts\resources folder)
• /WEB-INF/csrfguard.properties (should be in your classpath)

  • One property that is critical in csrfguard.properties is "org.owasp.csrfguard.Ajax=true"


  • Lastly , in the main ExtJS launch page which is typically /index.html

    •
    Posted by at
    Labels:

    No comments :

    Subscribe to: Post Comments ( Atom )