Skip to content

Remove legacy CSRF protection for approve page #932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 12, 2015
Merged

Remove legacy CSRF protection for approve page #932

merged 1 commit into from
Oct 12, 2015

Conversation

praseodym
Copy link
Contributor

Instead, we rely on the Spring Security CSRF protection, like we already do for the login page. Additionally, we remove the authentication check inisApproved, because this is already done by Spring Security (and if not, we have bigger problems to worry about).

Resolves #931.

Because this issue impacts core behaviour, I'd think this would be sufficient reason for a release of 1.2.2.

praseodym
praseodym reviewed Oct 8, 2015
View reviewed changes
...-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
public String ERROR = "error";
public String LOGIN_REQUIRED = "login_required";
String ERROR = "error";
String LOGIN_REQUIRED = "login_required";
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The public modifiers here were removed by IntelliJ IDEA. According to the JLS (§9.4),

Every method declaration in the body of an interface is implicitly public (§6.6). It is permitted, but discouraged as a matter of style, to redundantly specify the public modifier for a method declaration in an interface.

@jricher
Copy link
Member

jricher commented Oct 9, 2015

Please revert the removal of "public" from the interface definition as this makes it inconsistent with the rest of the project's style. I'm aware of that style suggestion but it is not applied here.

Thanks.

@praseodym
Remove legacy CSRF protection for approve page
b5c298e 
Instead, we rely on the Spring Security CSRF protection, like we already do for the login page. Additionally, we remove the authentication check in`isApproved`, because this is already done by Spring Security (and if not, we have bigger problems to worry about).
@praseodym
Copy link
Contributor Author

Done.

@sdoxsee
Copy link
Contributor

sdoxsee commented Oct 9, 2015

Was tripped up by this for the last day :P

This fix sounds great. Would it be possible to merge this and re-release @jricher ? I can't get 1.2.1 working without manually doing all this in my overlay project. Thanks @praseodym!

@sdoxsee
Copy link
Contributor

sdoxsee commented Oct 9, 2015

actually, I'm not in production with this yet so I can get around with other testing for now by taking away the csrf protection in user-context.xml for now.

@jricher
Copy link
Member

jricher commented Oct 9, 2015

Thanks! I can possibly do the pull and release next week. I was having trouble with the integration test environment just before the last release which is how it slipped by. Oops.

@jricher jricher merged commit b5c298e into mitreid-connect:master Oct 12, 2015
@praseodym praseodym deleted the fix-approve-csrf branch October 12, 2015 17:54
@sdoxsee
Copy link
Contributor

sdoxsee commented Oct 14, 2015

Thanks for being all over this! Overlay updated with 1.2.2. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@praseodym @jricher @sdoxsee