Versions Compared

Old Version 25

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 26

changes.mady.by.user Hyzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

This is in Grouper 2.2 UI.  btw, Ive heard this does not work with IE8.

Logging

Set this in log4j.properties for enhanced logging

Code Block
log4j.logger.edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger  = DEBUG

 

Legacy instructions

These instructions install OWASP CSRF guard in the Grouper UI.  These instructions are intended for Grouper v2.1, though it will probably work on v2.0, and could be adapted for previous versions as well.

1. Download the jar, note, this is from the mchyzer github clone
1.5. If you have Grouper UI v2.1.5 or less, then add this logging jar.  Note, remember on upgrade to remove this temporary jar.
2. Put the jar(s) in the UI WEB-INF/lib dir
3. Put this in the grouper UI web.core.xml (or web.xml if not building again), below all of the existing <filter> tags.

Code Block

  <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
  </listener>

  <servlet>
     <servlet-name>OwaspJavaScriptServlet</servlet-name>
     <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
  </servlet>

  <servlet-mapping>
     <servlet-name>OwaspJavaScriptServlet</servlet-name>
     <url-pattern>/grouperExternal/public/OwaspJavaScriptServlet</url-pattern>
  </servlet-mapping>

  <filter>
    <filter-name>CSRFGuard</filter-name>
    <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CSRFGuard</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
 

...

5. Create conf/Owasp.CsrfGuard.overlay.properties (which will go in WEB-INF/classes/Owasp.CsrfGuard.overlay.properties)

Code Block

org.owasp.csrfguard.Logger=edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger

org.owasp.csrfguard.TokenPerPage=false

org.owasp.csrfguard.action.Redirect.Page=%servletContext%/grouperExternal/public/csrfError.html


org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactororg.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory



org.owasp.csrfguard.unprotected.DefaultGrouper=%servletContext%/
org.owasp.csrfguard.unprotected.GrouperHome=%servletContext%/home.do
org.owasp.csrfguard.unprotected.GrouperDir=%servletContext%/grouper/*
org.owasp.csrfguard.unprotected.GrouperExternal=%servletContext%/grouperExternal/index.html
org.owasp.csrfguard.unprotected.GrouperExternalAppHtml=%servletContext%/grouperExternal/appHtml/*
org.owasp.csrfguard.unprotected.GrouperExternalPublic=%servletContext%/grouperExternal/public/*
org.owasp.csrfguard.unprotected.GrouperUi=%servletContext%/grouperUi/
org.owasp.csrfguard.unprotected.GrouperUiIndex=%servletContext%/grouperUi/index.html
org.owasp.csrfguard.unprotected.GrouperUiAppHtml=%servletContext%/grouperUi/appHtml/*
org.owasp.csrfguard.unprotected.GrouperI2mi=%servletContext%/i2mi/*
org.owasp.csrfguard.unprotected.GrouperScripts=%servletContext%/scripts/*
org.owasp.csrfguard.unprotected.GrouperIndex=%servletContext%/index.jsp
org.owasp.csrfguard.unprotected.GrouperOwaspJavascript=%servletContext%/grouperExternal/public/OwaspJavaScriptServlet

org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStems=%servletContext%/browseStems.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsCreate=%servletContext%/browseStemsCreate.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsFind=%servletContext%/browseStemsFind.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsManage=%servletContext%/browseStemsManage.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsJoin=%servletContext%/browseStemsJoin.do
org.owasp.csrfguard.unprotected.GrouperStruts/browseStemsSubjectSearch=%servletContext%/browseStemsSubjectSearch.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsAll=%servletContext%/browseStemsAll.do
org.owasp.csrfguard.unprotected.GrouperStrutserror=%servletContext%/error.do
org.owasp.csrfguard.unprotected.GrouperStrutsfilterError=%servletContext%/filterError.do
org.owasp.csrfguard.unprotected.GrouperStrutshelp=%servletContext%/help.do
org.owasp.csrfguard.unprotected.GrouperStrutslogin=%servletContext%/login.do
org.owasp.csrfguard.unprotected.GrouperStrutslogout=%servletContext%/logout.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateAllGroups=%servletContext%/populateAllGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateAssignNewMembers=%servletContext%/populateAssignNewMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateChains=%servletContext%/populateChains.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyGroup=%servletContext%/populateCopyGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyGroupToStem=%servletContext%/populateCopyGroupToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyOtherStemToStem=%servletContext%/populateCopyOtherStemToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyStem=%servletContext%/populateCopyStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateGroup=%servletContext%/populateCreateGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateGroups=%servletContext%/populateCreateGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateStem=%servletContext%/populateCreateStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateDebugPrefs=%servletContext%/populateDebugPrefs.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditGroup=%servletContext%/populateEditGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditGroupAttributes=%servletContext%/populateEditGroupAttributes.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditStem=%servletContext%/populateEditStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateFindNewMembers=%servletContext%/populateFindNewMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateFindNewMembersForStems=%servletContext%/populateFindNewMembersForStems.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupAsFactor=%servletContext%/populateGroupAsFactor.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupMember=%servletContext%/populateGroupMember.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupMembers=%servletContext%/populateGroupMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupPriviligees=%servletContext%/populateGroupPriviligees.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupSummary=%servletContext%/populateGroupSummary.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupTypes=%servletContext%/populateGroupTypes.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateIndex=%servletContext%/populateIndex.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateJoinGroups=%servletContext%/populateJoinGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedGroups=%servletContext%/populateListSavedGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedStems=%servletContext%/populateListSavedStems.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedSubjects=%servletContext%/populateListSavedSubjects.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateManageGroups=%servletContext%/populateManageGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveGroupToStem=%servletContext%/populateMoveGroupToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveGroup=%servletContext%/populateMoveGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMovesCopiesLinks=%servletContext%/populateMovesCopiesLinks.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveOtherStemToStem=%servletContext%/populateMoveOtherStemToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveStem=%servletContext%/populateMoveStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMyGroups=%servletContext%/populateMyGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateStemMember=%servletContext%/populateStemMember.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateStemPriviligees=%servletContext%/populateStemPriviligees.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateSubjectSummary=%servletContext%/populateSubjectSummary.do
org.owasp.csrfguard.unprotected.GrouperStrutsuserAudit=%servletContext%/userAudit.do



org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportSubjectIdsCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportSubjectIdsCsv/*
org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportAllCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportAllCsv/*

org.owasp.csrfguard.unprotected.GrouperUiV2MainIndex=%servletContext%/grouperUi/app/UiV2Main.index
org.owasp.csrfguard.unprotected.GrouperUiV2MainFolderMenu=%servletContext%/grouperUi/app/UiV2Main.folderMenu
org.owasp.csrfguard.unprotected.GrouperUiV2GroupAddMemberFilter=%servletContext%/grouperUi/app/UiV2Group.addMemberFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupImportGroupExportSubmit=%servletContext%/grouperUi/app/UiV2GroupImport.groupExportSubmit
org.owasp.csrfguard.unprotected.GrouperUiV2StemCopyParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.stemCopyParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateGroupParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createGroupParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateStemParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createStemParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToGroupFilter=%servletContext%/grouperUi/app/UiV2Subject.addToGroupFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupUpdateFilter=%servletContext%/grouperUi/app/UiV2Group.groupUpdateFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupCompositeFilter=%servletContext%/grouperUi/app/UiV2Group.groupCompositeFactorFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemAddMemberFilter=%servletContext%/grouperUi/app/UiV2Stem.addMemberFilter
org.owasp.csrfguard.unprotected.GrouperUiV2ExternalEntitiesAddGroupFilter=%servletContext%/grouperUi/app/UiV2ExternalEntities.addGroupFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToStemFilter=%servletContext%/grouperUi/app/UiV2Subject.addToStemFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToAttributeDefFilter=%servletContext%/grouperUi/app/UiV2Subject.addToAttributeDefFilter

...

7. Edit grouperExternal/appHtml/grouper.html    Add this entry under all the existing js files

Code Block

    <script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script> 

8. Create grouperExternal/public/csrfError.html.  Note, would be nice to have this in externalized text...

Code Block

 CSRF token is missing, <a href="../../">start over</a>

9. Edit grouperUi/appHtml/grouper.html    Add this entry under all the existing js files

Code Block

    <script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script> 

10. Edit WEB-INF/grouperUi/templates/common/commonTaglib.jsp, add this line

Code Block

<%@ taglib uri="/WEB-INF/tld/csrfguard.tld" prefix="csrf" %>

11. Edit WEB-INF/grouperUi/templates/simpleMembershipUpdate/simpleMembershipUpdateImport.jsp, add this line below the form tag

Code Block

   <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value uri="/grouper/grouperUi/app/SimpleMembershipUpdateImportExport.importCsv"/>"/>

12. Edit jsp/head.jsp, add this line below the other script tags

Code Block

  <script src="grouperExternal/public/OwaspJavaScriptServlet"></script>

13. Edit WEB-INF/grouperUi2/assetsJsp/commonBottom.jsp, add this below the script tags

Code Block

 <script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script>

14. Edit WEB-INF/grouperUi2/groupImport/groupImport.jsp

FROM

Code Block

            <form id="importGroupFormId" enctype="multipart/form-data" method="post" >

TO

Code Block

             <form id="importGroupFormId" enctype="multipart/form-data" method="post" >
               <%-- note this wont work for token per page --%>
               <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value />"/>

...