JSF 1.2 and CSRF (Cross Site Request Forgery) protection

Similar Messages

• A Cross-site request forgery (CSRF) has been detected. Task=com.bea.consol

  On the BEA admin console and tryiing to install an ear from a remote location that is fairly large, we're seeing the following error:
  <A Cross-site request forgery (CSRF) has been detected. Task=com.bea.console.actions.app.install.Flow.uploadApp address=*.**.***.*** user=weblogic>
  The address contains an actual IP address.
  If we copy the same ear over to the server box and install, it works fine. If we remove some jars from the ear to decrease its size, it works fine.
  We are running a Weblogic 10.3.5 server. The ear that fails is 276MB. We can successfully install a 246MB ear. So the problem must arise somewhere between 250MB and 275MB.
  Has anyone seen this? Is this a known limitation for installing remote ear's?
  Any information is appreciated.

  A phase listener comes to mind. Check out this useful article:
  http://balusc.blogspot.com/2006/09/debug-jsf-lifecycle.html

• What are default Zend Session handling best practices to prevent Cross Site Request Forgery?

  I have enjoyed the David Powers book Adobe Dreamweaver CS5 with PHP:  Training from the Source - and have put many of the examples into practice.  I have a security related concern that may be tied to the Zend::Auth example in the book.  While this is installed an working on my site:
  <?php
  $failed = FALSE;
  if ($_POST) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
      $failed = TRUE;
    } else {
      require_once('library.php');
      // check the user's credentials
      try {
        $auth = Zend_Auth::getInstance();
        $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'user', 'login', 'user_pass', 'sha1(?)');
        $adapter->setIdentity($_POST['username']);
        $adapter->setCredential($_POST['password']);
        $result = $auth->authenticate($adapter);
        if ($result->isValid()) {
          $storage = $auth->getStorage();
          $storage->write($adapter->getResultRowObject(array(
            'ID', 'login',  'user_first', 'user_last', 'user_role')));
          header('Location: /member/index.php');
          exit;
        } else {
          $failed = TRUE;
      } catch (Exception $e) {
        echo $e->getMessage();
  if (isset($_GET['logout'])) {
    require_once('library.php');
    try {
      $auth = Zend_Auth::getInstance();
      $auth->clearIdentity();
    } catch (Exception $e) {
      echo $e->getMessage();
  Apparently, there is  very limited protection against Cross Site Request Forgery, where the resulting SessionID could be easily hijacked?  I am using the Zend Community edition (I have 1.11.11).     I have an observation from a client that this authentication is not up to snuff. 
  To boil it down: 
  1.  Is there a Zend configuration file that might have some settings to upgrade the Session and or authentication security basics? I'm wondering specifically about the settings in /library/Zend/session.php? Ie secure the session against a changing user IP, and invoking some other session handling stuff (time-out etc). 
  2.  If I understand it correctly, "salting" won't help with this, unless it's added/checked via a hidden POST at login time? 
  Ideally, the man himself, David Powers would jump in here - but I'll take any help I can get!
  Thanks!

  Might ask them over here.
  http://forums.asp.net/1146.aspx/1?MVC
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Cross site request Forgery

  Hi
  please help me in preventing cross site request forgery..its very urgent .
  i am using servlets.
  Thanx
  parminder

  Anything seems to be very urgent today.
  Anyway, can you elaborate in your own words what it is? Once you understand what it is, preventing will be easy. As it is urgent, I don't have time to explain about it. You'll have to do the research yourself.

• ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Requ

  Hi,
  In User application, when I integrate my custom code to upload a file
  (.xls) using struts, we get following error:
  ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  Forgery) detected against
  /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  Session has been logged out.
  How can we bypass AntiCsrfServletFilter filter to upload the file using
  my custom code.
  Please share if anybody has some idea. It's urgent!!!
  Thanks
  Vartika Sanat
  Technical Consultant
  9958022664
  vartika's Profile: http://forums.novell.com/member.php?userid=3010
  View this thread: http://forums.novell.com/showthread.php?t=401004

  vartika wrote:
  >
  > Hi,
  >
  > In User application, when I integrate my custom code to upload a file
  > (.xls) using struts, we get following error:
  >
  > ERROR [AntiCsrfServletFilter] Potential CSRF(Cross-site Request
  > Forgery) detected against
  > /IDMProv/complianceRemediationAction.do/requestType=uploadAppData.
  > Session has been logged out.
  >
  > How can we bypass AntiCsrfServletFilter filter to upload the file
  > using my custom code.
  >
  > Please share if anybody has some idea. It's urgent!!!
  If its urgent I suggest you open a SR and also this has nothing to do
  with access manager. Try posting it in the userapp forum.
  Cheers,
  Edward

• Third-party JS Libraries and XHR cross-domain requests

  Hello,
  I am running into issues while developping a Windows Store app implementing the Jabber javascript SDK. This jquery-based SDK allows you to connect to a Cisco communication server to send/receive messages between users and share presence states. 
  The problems I am having is that the SDK attempts to send a request (for the connection) to the communication server using XHR javascript function and Visual Studio throws me an Javascript Access Denied error that I can't get passed even trying to add the
  URL of the server in the whitelist manifest (because it is not an HTTPS uri and the manifest won't take the HTTP uri).
  What would you suggest to perform what I am trying to do within a Windows 8 Store app? How come I cannot add an HTTP uri into the manifest whitelist? Have you already had to deal with the Jabber SDK in such an environment?
  Thank you very much for your help,
  Kind regards.

  Hi Clement,
  This issue may caused by the compatibility between store app and Jabber javascript SDK. Since Jabber is a third-party library and it is out of our support range. I would recommend you post this question on Jabber discussion forum.
  https://communities.cisco.com/community/developer/collaboration/jabber/content?filterID=contentstatus[published]~objecttype~objecttype[thread].
  I also found some similar question about access deny using js. Please refer to see if it help.
  http://stackoverflow.com/questions/14224637/access-is-denied-error-in-windows-store-app-using-javascript
  https://social.msdn.microsoft.com/Forums/windowsapps/en-US/2bf40c11-0b2f-4c99-bed4-2cc80a4eed6b/access-denied-when-call-xmlhttprequestopen-in-the-iframe?forum=winappswithhtml5
  regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate
  the survey.

• I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:

  I am working on Security scan(to avoid cross site forgery) with the CSRF approach of tomcat(apache-tomcat-6.0.32) but I am getting following issue with firefox:
  1. Firefox is not supporting CSRF provided by tomcat in a proper way firefox creating multiple sessions.
  2. Whenever any exception (like JSP exception) comes on page. Firefox redirects it to CSRFPreventionFilter and this filter creates new session.
  3. Sometimes while traversing through application also CSRFPreventionFilter filter creates new session.

  I seem to have fixed it by putting <div  class="clearfloat"></div> after the navigation bar?

• LiveCycle ES2, Guides, SSL and IE 8/9 Cross Site Scripting Issue

  I have a guide that is being served up in the workspace.
  This guide works fine in all of the different browser versions provided they go through port 8080.
  If however you enable SSL on your server (port 8443) and serve up the guide in the workspace, the end user can fill the entire form out only to have the browser identify the submit process as a Cross Site Scripting issue.
  This is the result:
  The data is essentially lost and guide disappears.  I had a theory that maybe the submit process might be using the default server port for data submissions (8080) and created a customized submit process with the hardcoded targetURL.
  I tried to test my theory and got the same result.  I then modified my custom submit process to essentially do nothing (Started and ended the process with an abstract activity), and got the same result.
  The only other thing that I could think of, is that the automatically generated action script classes might be hard coded to use default port instead of the SSL port.
  Suggestions?!

  Hi
  You can rise SR for your issue for 5000+ user or you can also can connect wiht your system engineer team for can possible solution as setup IE and deploy it to 5000+ user pcs
  For your other question see below note:
  Recommended Browsers for Oracle E-Business Suite 11i [ID 285218.1]
  Regard
  Helios

• Cross Site Publishing and Variations: how to manage assets?

  We have a Cross-Site Publishing scenario:
  - an Authoring site collection with variations enabled, in order to manage content in English and Italian
  - two Publishing site collections
  - an Intranet Site Collection
  Intranet and Web site are feeded from Authoring site collections.
  We have some assets (Video and Photos) with their own metadata (title, description, ...) that we need to localize in each Language.
  We followed TechNet best practices: we saved these assets in a separate site collection with Anonymous access enabled.
  Where do we have to compile metadata?
  In a list in the Authoring site collection where we build an entry for each digital asset we want to describe (of course, a list in each variation site)? Or is it better to associate metadata in the Asset Library (in this case how we manage translations)?

  Did you find a solution for this issue? I have the same problem. Thank you very much
  We have a Cross-Site Publishing scenario:
  - an Authoring site collection with variations enabled, in order to manage content in English and Italian
  - two Publishing site collections
  - an Intranet Site Collection
  Intranet and Web site are feeded from Authoring site collections.
  We have some assets (Video and Photos) with their own metadata (title, description, ...) that we need to localize in each Language.
  We followed TechNet best practices: we saved these assets in a separate site collection with Anonymous access enabled.
  Where do we have to compile metadata?
  In a list in the Authoring site collection where we build an entry for each digital asset we want to describe (of course, a list in each variation site)? Or is it better to associate metadata in the Asset Library (in this case how we manage translations)?

• OEL 5.5, Clusterware and cross site clustering

  Guys,
  Just wandering what solutions others have in place when clustering applications (not oracle db's) through clusterware across multiple sites. Our standard with other clustering products is to create a host based mirror, effectively mirroring the application data across disks at both sites and using the cluster to fail over the vip and application in the event of a DR.
  Other clustering products on Linux all seem to have integration with LVM2 to provide split brain protection (IO fencing/locking) but clusterware does not. Oracle have suggested using ASM to create cross site mirrored volumes but we are not keen on the idea of using ASM to manage volumes on non-database servers (conflict of interest with support of volume management between sys admins and dba's).
  thanks,
  Richard

  rik wrote:
  Other clustering products on Linux all seem to have integration with LVM2 to provide split brain protection (IO fencing/locking) but clusterware does not. Oracle have suggested using ASM to create cross site mirrored volumes but we are not keen on the idea of using ASM to manage volumes on non-database servers (conflict of interest with support of volume management between sys admins and dba's).You could also use OCFS2 which is already in the mainline Linux kernel to provide I/O fencing/locking. However, the latest versions of Clusterware all create ASM volumes for this.

• Due to the presence of characters known to be used in Cross Site Scripting

  I am getting following error when I try to send single quote as part of URL. I tried javascript escape to encode the URL. But still getting same error. Does anybody know workaround for the issue. Thanks
  Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
  403: Access Forbidden
  Your client is not allowed to access the requested object

  FYI. We are using IIS Webserver and Weblogic Appserver.
  When the page is accessed through Weblogic , cross site script does not occur. It happens when the page is rendered via IIS.

• The PyramidVille game in Facebook is not loading.I have no problems with the other games.I'm receiving the message" Forbidden 403" CSRF Verification failed.Request aborted. More information is available with Debug= True

  The PyramidVille game in Facebook is not loading.I have no problems with the other games.I'm receiving the message" Forbidden 403" CSRF Verification failed.Request aborted. More information is available with Debug= True edit

  Clear the cache and the cookies from sites that cause problems.
  "Clear the Cache":
  * Tools > Options > Advanced > Network > Offline Storage (Cache): "Clear Now"
  "Remove the Cookies" from sites causing problems:
  * Tools > Options > Privacy > Cookies: "Show Cookies"
  Reload web page(s) and bypass the cache.
  * Press and hold Shift and left-click the Reload button.
  * Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  * Press "Cmd + Shift + R" (MAC)

• How can i get my items to stay in place and not cross over each other when readjusting the browser s

  How can i get my items to stay in place and not cross over each other when readjusting the browser size.
  Basically on my site when i go from a small screen to a big screen everything doesn't adjust to the screen size. I don't know what im missing
  Here's the link to the page all the pages & they all do it
  http://theatricalworkslive.com/
  Thanks in advance

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, or by a peripheral device. 
  Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode and log in to the account with the problem.  Note: If FileVault is enabled, or if a firmware password is set, or if the boot volume is a software RAID, you can’t do this. Post for further instructions.
  Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs. The next normal boot may also be somewhat slow.
  The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin. Test while in safe mode. Same problem? After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test.

• Publish Page Content-Cross Site Publishing in SharePoint Online

  Is it possible to get Authoring Site's Specific Page's Content/html content (Live in Page Library of Authoring Site and saved as a Catalog) by a Content Search web part added to the Publishing site's page? 
  (Please note that these sites created in SharePoint 2013 Online, Authoring Site activated Cross site Publishing feature and created using team site template, Publishing site created using Publishing Portal template)

  Hi Gihan,
  Glad to hear your issue solved and thanks for your sharing! It is helpful for others who will meet the same issue.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Tomcat 6.0.9 and jsf 1.2 and jstl 1.2 using *.tag file error

  I using :tomcat 6.0.9 and jsf 1.2 and jstl 1.2
  My web.xml is at version 2.5 and I am using a custom tag (with the .tag extension). I am trying to use the http://java.sun.com/jsf/html library and values from my attribute. I'm new to this so I figure I must just me missing something.
  I am run http://192.168.1.1/test.jsf laster,view:
  HTTP Status 500 -
  type Exception report
  message
  description The server encountered an internal error () that prevented it from fulfilling this request.
  exception
  org.apache.jasper.JasperException: Unable to compile class for JSP:
  Stacktrace:
       org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:85)
       org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:330)
       org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:415)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:308)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:273)
       org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:566)
       org.apache.jasper.servlet.JspServletWrapper.loadTagFile(JspServletWrapper.java:212)
       org.apache.jasper.compiler.TagFileProcessor.loadTagFile(TagFileProcessor.java:576)
       org.apache.jasper.compiler.TagFileProcessor.access$000(TagFileProcessor.java:50)
       org.apache.jasper.compiler.TagFileProcessor$TagFileLoaderVisitor.visit(TagFileProcessor.java:627)
       org.apache.jasper.compiler.Node$CustomTag.accept(Node.java:1507)
       org.apache.jasper.compiler.Node$Nodes.visit(Node.java:2336)
       org.apache.jasper.compiler.Node$Visitor.visitBody(Node.java:2386)
       org.apache.jasper.compiler.TagFileProcessor$TagFileLoaderVisitor.visit(TagFileProcessor.java:631)
       org.apache.jasper.compiler.Node$CustomTag.accept(Node.java:1507)
       org.apache.jasper.compiler.Node$Nodes.visit(Node.java:2336)
       org.apache.jasper.compiler.Node$Visitor.visitBody(Node.java:2386)
       org.apache.jasper.compiler.Node$Visitor.visit(Node.java:2392)
       org.apache.jasper.compiler.Node$Root.accept(Node.java:489)
       org.apache.jasper.compiler.Node$Nodes.visit(Node.java:2336)
       org.apache.jasper.compiler.TagFileProcessor.loadTagFiles(TagFileProcessor.java:645)
       org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:190)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:306)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
       org.apache.jasper.compiler.Compiler.compile(Compiler.java:273)
       org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:566)
       org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:308)
       org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
       org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
       com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:414)
       com.sun.faces.application.ViewHandlerImpl.executePageToBuildView(ViewHandlerImpl.java:455)
       com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:139)
       com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:108)
       com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:266)
       com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:159)
       javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
  note The full stack trace of the root cause is available in the Apache Tomcat/6.0.9 logs.
  if go to /WEB-INF/tags/test.tag ,delete line: <h:outputText id="test" value="hello!" />
  run http://192.168.1.1/test.jsf is OK!(no error),So I guess error for "<h:outputText id="test" value="hello!" />" line ,why in test.tag file do can't use the "http://java.sun.com/jsf/html " library,please help me.......
  Here is file WEB-INF/web.xml content:
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements. See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License. You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
  -->
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
  version="2.5">
  <display-name>Welcome to Tomcat</display-name>
  <description>
  Welcome to Tomcat
  </description>
  <!-- Faces Servlet -->
  <servlet>
       <servlet-name>Faces Servlet</servlet-name>
       <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
       <load-on-startup> 1 </load-on-startup>
  </servlet>
  <!-- Faces Servlet Mapping -->
  <servlet-mapping>
       <servlet-name>Faces Servlet</servlet-name>
       <url-pattern>*.jsf</url-pattern>
  </servlet-mapping>
  </web-app>
  Here is file /test.jsp code:
  <%@ page contentType="text/html;charset=UTF-8" %>
  <%@ taglib prefix="tags" tagdir="/WEB-INF/tags" %>
  <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
  <%@ taglib uri="http://java.sun.com/jsf/core" prefix="f" %>
  <%@ taglib uri="http://java.sun.com/jsf/html" prefix="h" %>
  <f:view>
  <html>
  <head>
  <title>test</title>
  </head>
  <body>
  <!-- body start -->
  <h:outputText id="myinfo" value="test success" />
  <tags:test/>
  <!-- body end -->
  </body>
  </html>
  </f:view>
  Here is file /WEB-INF/tags/test.tag code:
  <%@tag pageEncoding="UTF-8"%>
  <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%>
  <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%>
  <h:outputText id="test" value="hello!" />
  Thanks for any help.

  Don't know if it's important, but there is no schema avaiable at: http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd
  I found the right one at: http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
  /perty
  Message was edited by:
  perajonsson