<font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">I have created a search form which performing
search operation. I want to implement CSRF in that search form how to do
that. Is there any lib available in opencms to that ? I have implemented
custom CSRF but that is working only when use is login, not when nobody
is logined. you can see the custom CSRF implementation below code:</font>
<br>
<br><font size=2 face="sans-serif">String reqURLCSRF = "";</font>
<br><font size=2 face="sans-serif">
String referrer = request.getHeader("referer");</font>
<br><font size=2 face="sans-serif">
String rootPath = pageContext.getRequest().getServerName();</font>
<br><font size=2 face="sans-serif">
if(referrer != null && referrer.toLowerCase().contains(rootPath.toLowerCase()))
{</font>
<br><font size=2 face="sans-serif">
String
salt = (String) request.getParameter("csrfPreventionSalt");</font>
<br><font size=2 face="sans-serif">
</font>
<br><font size=2 face="sans-serif">
// Validate
that the salt is in the cache</font>
<br><font size=2 face="sans-serif">
Cache<String,
Boolean> csrfPreventionSaltCache = (Cache<String, Boolean>)</font>
<br><font size=2 face="sans-serif">
request.getSession().getAttribute("csrfPreventionSaltCache");</font>
<br><font size=2 face="sans-serif"> </font>
<br><font size=2 face="sans-serif">
if (csrfPreventionSaltCache
!= null && salt != null && csrfPreventionSaltCache.getIfPresent(salt)
!= null){</font>
<br><font size=2 face="sans-serif">
reqURLCSRF
= "&csrfPreventionSalt="+salt;
</font>
<br><font size=2 face="sans-serif">
// If the salt is in the cache, we move on</font>
<br><font size=2 face="sans-serif">
</font>
<br><font size=2 face="sans-serif">
}else
{</font>
<br><font size=2 face="sans-serif">
// Otherwise we throw an exception aborting
the request flow</font>
<br><font size=2 face="sans-serif">
throw new ServletException("Potential
CSRF detected!! Inform a scary sysadmin ASAP."); // Fire when
logout</font>
<br><font size=2 face="sans-serif">
//out.println("<div style='color:red;
height: 100px; clear:both;'>"+csrfPreventionSaltCache+"</div>");</font>
<br><font size=2 face="sans-serif">
}</font>
<br><font size=2 face="sans-serif">
}else {</font>
<br><font size=2 face="sans-serif">
// Otherwise
we throw an exception aborting the request flow</font>
<br><font size=2 face="sans-serif">
throw
new ServletException("Potential CSRF detected!! Inform a scary sysadmin
ASAP.");</font>
<br><font size=2 face="sans-serif">
}</font>
<br>
<br><font size=2 face="sans-serif">I am generation salt using filters and
validating the salt using filter. both have been configured in web.xml
and working fine with the above code when there is logined user(testing
with Admin user). But when i logout and check the same it is throwing
exception in line "// Fire when logout".</font>
<br>
<br><font size=2 face="sans-serif">Please help me in this regards.</font>
<br>
<br><font size=2 face="sans-serif">Cheers</font>
<br><font size=2 face="sans-serif">Manoj Kumar Sharma</font>