This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSRFGuard 3 User Manual"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
= Overview =
 +
 +
Welcome to the OWASP CSRFGuard 3 User Manual! The purpose of this article is to provide the user with guidance on obtaining, installing, deploying, and developing with the OWASP CSRFGuard library.
 +
 +
= Download =
 +
 +
Users can download the latest release of OWASP CSRFGuard using one of the following links:
 +
 +
:[http://www.example.com Click here] to download the latest stable binary and associated configuration files
 +
:[http://www.example.com Click here] to download the latest stable archive of the project source code
 +
 +
= Installation =
 +
 +
Installation of OWASP CSRFGuard 3 is very straight forward requiring two simple steps. First, you must copy the Owasp.CsrfGuard.jar file and map the CsrfGuardFilter in your application's deployment descriptor (web.xml). You'll need to make sure you tell CsrfGuardFilter the location of your CSRFGuard properties file via a JavaEE Filter init-param directive. Please refer to the following sub-sections for more detailed information on each of the aforementioned installation steps.
 +
 +
== Copy Owasp.CsrfGuard.jar to Classpath ==
 +
 +
The first thing you need to do is copy the Owasp.CsrfGuard.jar library into your classpath. The most common classpath location to place Owasp.CsrfGuard.jar is within the ''lib'' directory of the web application's ''WEB-INF'' folder. OWASP CSRFGuard 3 has no additional dependencies outside of the traditional JavaEE runtime environment.
 +
 +
== Declare and Map the CsrfGuardFilter in web.xml ==
 +
 +
After placing Owasp.CsrfGuard.jar in your application's classpath, you'll need to declare and map the CsrfGuardFilter in web.xml. All CSRF token verification logic is encompassed within the stand-alone filter. The following web.xml snippet was extracted from the [http://www.tbd.com Owasp.CsrfGuard.Test] web application:
 +
 +
<filter>
 +
<filter-name>CSRFGuard</filter-name>
 +
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
 +
<init-param>
 +
<param-name>config</param-name>
 +
<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
 +
</init-param>
 +
<init-param>
 +
<param-name>print-config</param-name>
 +
<param-value>true</param-value>
 +
</init-param>
 +
</filter>
 +
 +
 +
 +
 +
#Tell CSRFGuard the location of the properties file
 +
 +
 +
 +
= Deployment =
 +
 +
== Landing Page ==
 +
 +
== Ajax Support ==
 +
 +
== Referrer Checking ==
 +
 +
== Unprotected Pages ==
 +
 +
== Response to Attack: Actions ==
 +
 +
== Miscellaneous Configurations ==
 +
 +
= Token Injection =
 +
 +
== JSP Tag Library ==
 +
 +
== Dynamic JavaScript ==
 +
 
[[Category:OWASP_CSRFGuard_Project]]
 
[[Category:OWASP_CSRFGuard_Project]]

Revision as of 02:08, 11 November 2010

Overview

Welcome to the OWASP CSRFGuard 3 User Manual! The purpose of this article is to provide the user with guidance on obtaining, installing, deploying, and developing with the OWASP CSRFGuard library.

Download

Users can download the latest release of OWASP CSRFGuard using one of the following links:

Click here to download the latest stable binary and associated configuration files
Click here to download the latest stable archive of the project source code

Installation

Installation of OWASP CSRFGuard 3 is very straight forward requiring two simple steps. First, you must copy the Owasp.CsrfGuard.jar file and map the CsrfGuardFilter in your application's deployment descriptor (web.xml). You'll need to make sure you tell CsrfGuardFilter the location of your CSRFGuard properties file via a JavaEE Filter init-param directive. Please refer to the following sub-sections for more detailed information on each of the aforementioned installation steps.

Copy Owasp.CsrfGuard.jar to Classpath

The first thing you need to do is copy the Owasp.CsrfGuard.jar library into your classpath. The most common classpath location to place Owasp.CsrfGuard.jar is within the lib directory of the web application's WEB-INF folder. OWASP CSRFGuard 3 has no additional dependencies outside of the traditional JavaEE runtime environment.

Declare and Map the CsrfGuardFilter in web.xml

After placing Owasp.CsrfGuard.jar in your application's classpath, you'll need to declare and map the CsrfGuardFilter in web.xml. All CSRF token verification logic is encompassed within the stand-alone filter. The following web.xml snippet was extracted from the Owasp.CsrfGuard.Test web application:

	<filter>
		<filter-name>CSRFGuard</filter-name>
		<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
		<init-param>
			<param-name>config</param-name>
			<param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
		</init-param>
		<init-param>
			<param-name>print-config</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>



  1. Tell CSRFGuard the location of the properties file


Deployment

Landing Page

Ajax Support

Referrer Checking

Unprotected Pages

Response to Attack: Actions

Miscellaneous Configurations

Token Injection

JSP Tag Library

Dynamic JavaScript