Grouper Developers Forum

[Chris Hyzer <>]

Hey,

 

I have finished a pass at integrating CSRF guard into Grouper 2.2, and it is running on the demo server.

 

This completes the major tasks of Grouper 2.2 UI work:

 

https://spaces.internet2.edu/display/Grouper/Grouper+UI+v2.2+tasks

 

There are still 3 jiras related to the 2.2 UI:

 

https://bugs.internet2.edu/jira/issues/?jql=project%20%3D%20GRP%20AND%20fixVersion%20%3D%202.2.0%20AND%20component%20%3D%20UI%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened)

 

After those are addressed I will start working on the release steps for 2.2.  We hope to have this released in 4-6 weeks.

 

Thanks to those who have tested the UI, if you found any problems now it the time to let us know J

 

Thanks,

Chris

 

Ps. with the CSRF, there are unprotected URLs which can be bookmarked and do not require a CSRF token.  For the Admin UI, the CSRF tokens are injected on page draw, you can see the tokens in the DOM with a browser developer tool (Chrome developer tool or Firefox firebug).  If you remove that dom element you will see a CSRF error on submit.  That will simulate a CSRF problem.  On the lite and new UI, it is Ajax based, so Ajax calls will automatically get the CSRF token.  You can see this with a browser developer tool, and you can test with a web proxy interceptor like firefox tamper data.  Going forward I will assume the CSRF protection is enabled by default in 2.2 and not really supported for previous versions.  There is a wiki to help you integrate it, but it works better in 2.2+  J  I made a lot of changes in the Owasp CSRF Guard project, and the team is accepting them into their repository.  Currently in Grouper’s SVN is a csrfguard jar from my guthub repo, but once my changes are in their software we can use an official release.  Not sure when that would happen.