Skip to Content.
Sympa Menu

grouper-dev - [grouper-dev] grouper demo and new ui

Subject: Grouper Developers Forum

List archive

[grouper-dev] grouper demo and new ui

Chronological Thread 
  • From: Chris Hyzer <>
  • To: "" <>
  • Subject: [grouper-dev] grouper demo and new ui
  • Date: Wed, 23 Apr 2014 18:39:39 +0000
  • Accept-language: en-US



I have finished a pass at integrating CSRF guard into Grouper 2.2, and it is running on the demo server.


This completes the major tasks of Grouper 2.2 UI work:


There are still 3 jiras related to the 2.2 UI:


After those are addressed I will start working on the release steps for 2.2.  We hope to have this released in 4-6 weeks.


Thanks to those who have tested the UI, if you found any problems now it the time to let us know J





Ps. with the CSRF, there are unprotected URLs which can be bookmarked and do not require a CSRF token.  For the Admin UI, the CSRF tokens are injected on page draw, you can see the tokens in the DOM with a browser developer tool (Chrome developer tool or Firefox firebug).  If you remove that dom element you will see a CSRF error on submit.  That will simulate a CSRF problem.  On the lite and new UI, it is Ajax based, so Ajax calls will automatically get the CSRF token.  You can see this with a browser developer tool, and you can test with a web proxy interceptor like firefox tamper data.  Going forward I will assume the CSRF protection is enabled by default in 2.2 and not really supported for previous versions.  There is a wiki to help you integrate it, but it works better in 2.2+  J  I made a lot of changes in the Owasp CSRF Guard project, and the team is accepting them into their repository.  Currently in Grouper’s SVN is a csrfguard jar from my guthub repo, but once my changes are in their software we can use an official release.  Not sure when that would happen.

  • [grouper-dev] grouper demo and new ui, Chris Hyzer, 04/23/2014

Archive powered by MHonArc 2.6.16.

Top of Page