Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39403

Investigate using the Tomcat CSRF filter (i.e. SameSite)

    Details

    • Type: Feature Request
    • Status: Verified
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0
    • Fix Version/s: 12.1, 19.0
    • Component/s: Kernel
    • Labels:
      None
    • 12 status:
      Resolved
    • 11 status:
      Please Merge
    • Previous Issue Keys:
      KNL-1584
    • Test Plan:
      Hide

      Please add a Test Plan here.

      Show
      Please add a Test Plan here.

      Description

      We've talked on the call about looking into using the Tomcat CSRF filter rather than all of our local CSRF custom code. Here's a link to their filter.

      https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter

      It would be "nice" if we could just remove all of our custom CSRF protection and use a filter instead. This kind of came up by some discussion on SAK-29256.

      I don't know if this is easy or possible without forking their filter. Just seemed like a better idea than changing entity broker and every tool that calls into it.

      From the comments it looks like just using the SameSite cookie attribute might be the better way to go.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jonespm Matthew Jones
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code