[opencms-dev] How to implement CSRF in custom function

Manoj.Sharma at nevagroup.com Manoj.Sharma at nevagroup.com
Mon Oct 19 07:25:38 CEST 2015 

Hi,

I have created a search form which performing search operation. I want to 
implement CSRF in that search form how to do that. Is there any lib 
available in opencms to that ? I have implemented custom CSRF but that is 
working only when use is login, not when nobody is logined. you can see 
the custom CSRF implementation below code:

String reqURLCSRF = "";
                String referrer = request.getHeader("referer");
                String rootPath = 
pageContext.getRequest().getServerName();
                if(referrer != null && 
referrer.toLowerCase().contains(rootPath.toLowerCase())) {
                        String salt = (String) 
request.getParameter("csrfPreventionSalt");
 
                        // Validate that the salt is in the cache
                        Cache<String, Boolean> csrfPreventionSaltCache = 
(Cache<String, Boolean>)
 request.getSession().getAttribute("csrfPreventionSaltCache");
 
                        if (csrfPreventionSaltCache != null && salt != 
null && csrfPreventionSaltCache.getIfPresent(salt) != null){
                                        reqURLCSRF = 
"&csrfPreventionSalt="+salt; 
                                // If the salt is in the cache, we move on
 
                        }else {
                                // Otherwise we throw an exception 
aborting the request flow
                                throw new ServletException("Potential CSRF 
detected!! Inform a scary sysadmin ASAP.");  // Fire when logout
                                //out.println("<div style='color:red; 
height: 100px; clear:both;'>"+csrfPreventionSaltCache+"</div>");
                        }
                }else {
                        // Otherwise we throw an exception aborting the 
request flow
                        throw new ServletException("Potential CSRF 
detected!! Inform a scary sysadmin ASAP.");
                }

I am generation salt using filters and validating the salt using filter. 
both have been configured in web.xml and working fine with the above code 
when there is logined user(testing with Admin user). But when i logout and 
check the same it is throwing exception in line  "// Fire when logout".

Please help me in this regards.

Cheers
Manoj Kumar Sharma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20151019/e805db56/attachment.htm>

More information about the opencms-dev mailing list