Versions Compared

Old Version 23

changes.mady.by.user Former user

Saved on

compared with

New Version 24

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuring the CSRF Filter
  1. Enable the filter by adding the code snippet below to the following .xml files accordingly.Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that has access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    Code Block
    languagexml
    <web-app>
...
<filter>
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CRLFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
<web-app>

  2. Add the following code within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Info

    The <SkipUrlPattern> element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.

    Code Block
    languagexml
    <Server>
...
<Security>
...
<CSRFPreventionConfig>
<!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern -->
<CSRFPreventionFilter>
<!-- Set below to true to enable the CSRFPreventionFilter -->
<Enabled>true</Enabled>
<!-- Url Pattern to skip application of CSRF protection-->
<SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern>
</CSRFPreventionFilter>
</CSRFPreventionConfig>
...
</Security>
...
</Server>

  3. Restart the product server.