CODEWITHSUNDEEP
tomcat6struts1
user2269170
user2269170

Reputation: 79

Disable CSRF Guard in Java EE, Struts 1.3

I want to disable CSRF guards in tomcat. I don't know how to allow the back, page refresh button to be functional. For the time being, i just want to disable everything related to csrf. For this purpose there is one file Owasp.CsrfGuard.Properties file. There are following properties:

org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger
org.owasp.csrfguard.NewTokenLandingPage=PYEntry.jsp

org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

org.owasp.csrfguard.unprotected.QualificationPage=/pondicheryJan30/qualification.do
org.owasp.csrfguard.unprotected.PersonalPage=/pondicheryJan30/personal.do
org.owasp.csrfguard.unprotected.DownloadResume=/pondicheryJan30/DownloadResumeAction.do
org.owasp.csrfguard.unprotected.allotUpdatePage=/pondicheryJan30/allotUpdate.do
org.owasp.csrfguard.unprotected.PersonalEditPage=/pondicheryJan30/personalEdit.do


org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=globalerror.jsp

Upvotes: 0

Views: 3216

Answers (2)

santon
santon

Reputation: 1834

I know this is old but for anyone looking for a solution, please try the following.

Add the following property 

org.owasp.csrfguard.Enabled=false

Also try setting these properties explicitly to not perform per page tokens and rotate tokens per request. These should be disabled by default. but I am suggesting so that those possibilities are mitigated.

org.owasp.csrfguard.TokenPerPage=false
org.owasp.csrfguard.TokenPerPagePrecreate=false
org.owasp.csrfguard.Rotate=false

Rotating tokens typically results in back and forward navigation issues as the saved link tokens have already expired.

Upvotes: 2

user1746319
user1746319

Reputation: 21

This is CSRF Guard specially used for preventing Cross Site Request Forgery.

If you want to disable Csrf Guard. Goto your web.xml file and remove or comment csrf and XSS filter from web.xml

Upvotes: 0

Related Questions