Subject: Grouper Developers Forum
- From: Chris Hyzer <>
- To: "" <>
- Subject: [grouper-dev] grouper demo and new ui
- Date: Wed, 23 Apr 2014 18:39:39 +0000
- Accept-language: en-US
I have finished a pass at integrating CSRF guard into Grouper 2.2, and it is running on the demo server.
This completes the major tasks of Grouper 2.2 UI work:
There are still 3 jiras related to the 2.2 UI:
After those are addressed I will start working on the release steps for 2.2. We hope to have this released in 4-6 weeks.
Thanks to those who have tested the UI, if you found any problems now it the time to let us know J
Ps. with the CSRF, there are unprotected URLs which can be bookmarked and do not require a CSRF token. For the Admin UI, the CSRF tokens are injected on page draw, you can see the tokens in the DOM with a browser developer tool (Chrome developer tool or Firefox firebug). If you remove that dom element you will see a CSRF error on submit. That will simulate a CSRF problem. On the lite and new UI, it is Ajax based, so Ajax calls will automatically get the CSRF token. You can see this with a browser developer tool, and you can test with a web proxy interceptor like firefox tamper data. Going forward I will assume the CSRF protection is enabled by default in 2.2 and not really supported for previous versions. There is a wiki to help you integrate it, but it works better in 2.2+ J I made a lot of changes in the Owasp CSRF Guard project, and the team is accepting them into their repository. Currently in Grouper’s SVN is a csrfguard jar from my guthub repo, but once my changes are in their software we can use an official release. Not sure when that would happen.
- [grouper-dev] grouper demo and new ui, Chris Hyzer, 04/23/2014
Archive powered by MHonArc 2.6.16.