[MAGNOLIA-8210] Review CSRF filter implementations and bypasses Created: 19/Oct/21 Updated: 22/Nov/21 Resolved: 22/Nov/21 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core |
| Affects Version/s: | 6.2.12 |
| Fix Version/s: | 6.2.14 |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Mikaël Geljić | Assignee: | Michael Duerig |
| Resolution: | Done | Votes: | 0 |
| Labels: | artt, csrf | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||||||||||||||
| Release notes required: |
Yes
|
||||||||||||||||||||||||||||||||||||
| Documentation update required: |
Yes
|
||||||||||||||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||||||||||||||
| Description |
|
After reviewing the CSRF concept in Magnolia, we concluded couple solutions: In
In this ticket:
See SUPPORT-13766 for the original bug report. |
| Comments |
| Comment by Michael Duerig [ 19/Nov/21 ] |
|
Doc ticket: |
| Comment by Michael Duerig [ 19/Nov/21 ] |
|
akhamis , for documentation: With this ticket we deprecated CsrfTokenSecurityFilter and replaced it with CsrfCookieTokenFilter and CsrfSessionTokenFilter. Jointly these two classes cover the same functionality that was previously covered by CsrfTokenSecurityFilter.
Splitting into two classes simplifies the implementations and configuration at the same time making it more flexible as bypasses can now be specified more specifically.
Configuration prior to this ticket:
Configuration after this ticket:
Both filters allow setting a CsrfTokenStrategy that define the strategy for how the filter deals with CSRF tokens. It exposes methods for creating new tokens, validating tokens and token renewal. Default value is HmacCsrfToken for HMAC secured tokens. Also available is the RandomCsrfToken strategy, which brings back the behaviour prior to MAGNOLIA-7899. |