Include Page | ||||
---|---|---|---|---|
|
This is in Grouper 2.2 UI. btw, Ive heard this does not work with IE8.
Logging
Set this in log4j.properties for enhanced logging
Code Block |
---|
log4j.logger.edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger = DEBUG |
Legacy instructions
These instructions install OWASP CSRF guard in the Grouper UI. These instructions are intended for Grouper v2.1, though it will probably work on v2.0, and could be adapted for previous versions as well.
1. Download the jar, note, this is from the mchyzer github clone
1.5. If you have Grouper UI v2.1.5 or less, then add this logging jar. Note, remember on upgrade to remove this temporary jar.
2. Put the jar(s) in the UI WEB-INF/lib dir
3. Put this in the grouper UI web.core.xml (or web.xml if not building again), below all of the existing <filter> tags.
Code Block |
---|
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
</listener>
<servlet>
<servlet-name>OwaspJavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>OwaspJavaScriptServlet</servlet-name>
<url-pattern>/grouperExternal/public/OwaspJavaScriptServlet</url-pattern>
</servlet-mapping>
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
|
...
5. Create conf/Owasp.CsrfGuard.overlay.properties (which will go in WEB-INF/classes/Owasp.CsrfGuard.overlay.properties)
Code Block |
---|
org.owasp.csrfguard.Logger=edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger
org.owasp.csrfguard.TokenPerPage=false
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/grouperExternal/public/csrfError.html
org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactororg.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory
org.owasp.csrfguard.unprotected.DefaultGrouper=%servletContext%/
org.owasp.csrfguard.unprotected.GrouperHome=%servletContext%/home.do
org.owasp.csrfguard.unprotected.GrouperDir=%servletContext%/grouper/*
org.owasp.csrfguard.unprotected.GrouperExternal=%servletContext%/grouperExternal/index.html
org.owasp.csrfguard.unprotected.GrouperExternalAppHtml=%servletContext%/grouperExternal/appHtml/*
org.owasp.csrfguard.unprotected.GrouperExternalPublic=%servletContext%/grouperExternal/public/*
org.owasp.csrfguard.unprotected.GrouperUi=%servletContext%/grouperUi/
org.owasp.csrfguard.unprotected.GrouperUiIndex=%servletContext%/grouperUi/index.html
org.owasp.csrfguard.unprotected.GrouperUiAppHtml=%servletContext%/grouperUi/appHtml/*
org.owasp.csrfguard.unprotected.GrouperI2mi=%servletContext%/i2mi/*
org.owasp.csrfguard.unprotected.GrouperScripts=%servletContext%/scripts/*
org.owasp.csrfguard.unprotected.GrouperIndex=%servletContext%/index.jsp
org.owasp.csrfguard.unprotected.GrouperOwaspJavascript=%servletContext%/grouperExternal/public/OwaspJavaScriptServlet
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStems=%servletContext%/browseStems.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsCreate=%servletContext%/browseStemsCreate.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsFind=%servletContext%/browseStemsFind.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsManage=%servletContext%/browseStemsManage.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsJoin=%servletContext%/browseStemsJoin.do
org.owasp.csrfguard.unprotected.GrouperStruts/browseStemsSubjectSearch=%servletContext%/browseStemsSubjectSearch.do
org.owasp.csrfguard.unprotected.GrouperStrutsbrowseStemsAll=%servletContext%/browseStemsAll.do
org.owasp.csrfguard.unprotected.GrouperStrutserror=%servletContext%/error.do
org.owasp.csrfguard.unprotected.GrouperStrutsfilterError=%servletContext%/filterError.do
org.owasp.csrfguard.unprotected.GrouperStrutshelp=%servletContext%/help.do
org.owasp.csrfguard.unprotected.GrouperStrutslogin=%servletContext%/login.do
org.owasp.csrfguard.unprotected.GrouperStrutslogout=%servletContext%/logout.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateAllGroups=%servletContext%/populateAllGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateAssignNewMembers=%servletContext%/populateAssignNewMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateChains=%servletContext%/populateChains.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyGroup=%servletContext%/populateCopyGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyGroupToStem=%servletContext%/populateCopyGroupToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyOtherStemToStem=%servletContext%/populateCopyOtherStemToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCopyStem=%servletContext%/populateCopyStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateGroup=%servletContext%/populateCreateGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateGroups=%servletContext%/populateCreateGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateCreateStem=%servletContext%/populateCreateStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateDebugPrefs=%servletContext%/populateDebugPrefs.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditGroup=%servletContext%/populateEditGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditGroupAttributes=%servletContext%/populateEditGroupAttributes.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateEditStem=%servletContext%/populateEditStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateFindNewMembers=%servletContext%/populateFindNewMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateFindNewMembersForStems=%servletContext%/populateFindNewMembersForStems.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupAsFactor=%servletContext%/populateGroupAsFactor.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupMember=%servletContext%/populateGroupMember.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupMembers=%servletContext%/populateGroupMembers.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupPriviligees=%servletContext%/populateGroupPriviligees.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupSummary=%servletContext%/populateGroupSummary.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateGroupTypes=%servletContext%/populateGroupTypes.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateIndex=%servletContext%/populateIndex.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateJoinGroups=%servletContext%/populateJoinGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedGroups=%servletContext%/populateListSavedGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedStems=%servletContext%/populateListSavedStems.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateListSavedSubjects=%servletContext%/populateListSavedSubjects.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateManageGroups=%servletContext%/populateManageGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveGroupToStem=%servletContext%/populateMoveGroupToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveGroup=%servletContext%/populateMoveGroup.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMovesCopiesLinks=%servletContext%/populateMovesCopiesLinks.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveOtherStemToStem=%servletContext%/populateMoveOtherStemToStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMoveStem=%servletContext%/populateMoveStem.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateMyGroups=%servletContext%/populateMyGroups.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateStemMember=%servletContext%/populateStemMember.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateStemPriviligees=%servletContext%/populateStemPriviligees.do
org.owasp.csrfguard.unprotected.GrouperStrutspopulateSubjectSummary=%servletContext%/populateSubjectSummary.do
org.owasp.csrfguard.unprotected.GrouperStrutsuserAudit=%servletContext%/userAudit.do
org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportSubjectIdsCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportSubjectIdsCsv/*
org.owasp.csrfguard.unprotected.GrouperSimpleMembershipUpdateImportExportExportAllCsv=%servletContext%/grouperUi/app/SimpleMembershipUpdateImportExport.exportAllCsv/*
org.owasp.csrfguard.unprotected.GrouperUiV2MainIndex=%servletContext%/grouperUi/app/UiV2Main.index
org.owasp.csrfguard.unprotected.GrouperUiV2MainFolderMenu=%servletContext%/grouperUi/app/UiV2Main.folderMenu
org.owasp.csrfguard.unprotected.GrouperUiV2GroupAddMemberFilter=%servletContext%/grouperUi/app/UiV2Group.addMemberFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupImportGroupExportSubmit=%servletContext%/grouperUi/app/UiV2GroupImport.groupExportSubmit
org.owasp.csrfguard.unprotected.GrouperUiV2StemCopyParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.stemCopyParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateGroupParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createGroupParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemCreateStemParentFolderFilter=%servletContext%/grouperUi/app/UiV2Stem.createStemParentFolderFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToGroupFilter=%servletContext%/grouperUi/app/UiV2Subject.addToGroupFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupUpdateFilter=%servletContext%/grouperUi/app/UiV2Group.groupUpdateFilter
org.owasp.csrfguard.unprotected.GrouperUiV2GroupCompositeFilter=%servletContext%/grouperUi/app/UiV2Group.groupCompositeFactorFilter
org.owasp.csrfguard.unprotected.GrouperUiV2StemAddMemberFilter=%servletContext%/grouperUi/app/UiV2Stem.addMemberFilter
org.owasp.csrfguard.unprotected.GrouperUiV2ExternalEntitiesAddGroupFilter=%servletContext%/grouperUi/app/UiV2ExternalEntities.addGroupFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToStemFilter=%servletContext%/grouperUi/app/UiV2Subject.addToStemFilter
org.owasp.csrfguard.unprotected.GrouperUiV2SubjectAddToAttributeDefFilter=%servletContext%/grouperUi/app/UiV2Subject.addToAttributeDefFilter
|
...
7. Edit grouperExternal/appHtml/grouper.html Add this entry under all the existing js files
Code Block |
---|
<script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script>
|
8. Create grouperExternal/public/csrfError.html. Note, would be nice to have this in externalized text...
Code Block |
---|
CSRF token is missing, <a href="../../">start over</a>
|
9. Edit grouperUi/appHtml/grouper.html Add this entry under all the existing js files
Code Block |
---|
<script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script>
|
10. Edit WEB-INF/grouperUi/templates/common/commonTaglib.jsp, add this line
Code Block |
---|
<%@ taglib uri="/WEB-INF/tld/csrfguard.tld" prefix="csrf" %>
|
11. Edit WEB-INF/grouperUi/templates/simpleMembershipUpdate/simpleMembershipUpdateImport.jsp, add this line below the form tag
Code Block |
---|
<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value uri="/grouper/grouperUi/app/SimpleMembershipUpdateImportExport.importCsv"/>"/>
|
12. Edit jsp/head.jsp, add this line below the other script tags
Code Block |
---|
<script src="grouperExternal/public/OwaspJavaScriptServlet"></script>
|
13. Edit WEB-INF/grouperUi2/assetsJsp/commonBottom.jsp, add this below the script tags
Code Block |
---|
<script src="../../grouperExternal/public/OwaspJavaScriptServlet"></script>
|
14. Edit WEB-INF/grouperUi2/groupImport/groupImport.jsp
FROM
Code Block |
---|
<form id="importGroupFormId" enctype="multipart/form-data" method="post" >
|
TO
Code Block |
---|
<form id="importGroupFormId" enctype="multipart/form-data" method="post" >
<%-- note this wont work for token per page --%>
<input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value />"/>
|
...