Versions Compared

Old Version 26

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Add the following code snippet within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Code Block
    languagexml
    <CSRFPreventionConfig>
    <CSRFValve>
        <Enabled>true</Enabled>
        <!-Enable/Disable CSRF prevention->
        <Rule>allow</Rule>

        <!--URL Pattern to skip the CSRF prevention-->
        <Patterns>
            <Pattern>commonauth</Pattern>
            <Pattern>samlsso</Pattern>
            <Pattern>authenticationendpoint</Pattern>
            <Pattern>wso2</Pattern>
            <Pattern>oauth2</Pattern>
            <Pattern>openid</Pattern>
            <Pattern>openidserver</Pattern>
            <Pattern>passivests</Pattern>
            <Pattern>services</Pattern>
        </Patterns>
		
		<!--List of URL to allow as source to access the system-->
        <WhiteList>
            <Url>https://localhost:9443</Url>
        </WhiteList>
    </CSRFValve>
</CSRFPreventionConfig>

  2. Edit the <Whitelist> element of the code snippet above by adding the relevant list of URLs that are approved sources.

  3.  Add the following configuration within the <Hosts><Host> element of the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.

    Code Block
    languagexml
    <Valve className="org.wso2.carbon.ui.valve.CSRFValve"/>

  4. Restart the product server.

...

  1. Add the configuration seen below accordingly to enable the filter:
    • To enable the filter only to the Management Console: add it to the <PRODUCT_HOME>/repository/conf/tomcat/carbon/WEB-INF/web.xml file.
    • To enable the filter to any other web app that has access to the Carbon runtime: add it to the <WEB_APP_HOME>/WEB-INF/web.xml file.
    Code Block
    languagexml
    <web-app>
...
<filter>
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.wso2.carbon.ui.filters.CSRFPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CRLFPreventionFilter<name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
<web-app>

  2. Add the following code within the <Security> element of the <PRODUCT_HOME>/repository/conf/carbon.xml file.

    Info

    The <SkipUrlPattern> element defines the URL pattern to skip CSRF protection. Thereby, any URL matching this pattern will not be validated for the CSRF token.

    Code Block
    languagexml
    <Server>
...
<Security>
...
<CSRFPreventionConfig>
<!-- CSRFPreventionFilter configurations that adopts Synchronizer Token Pattern -->
<CSRFPreventionFilter>
<!-- Set below to true to enable the CSRFPreventionFilter -->
<Enabled>true</Enabled>
<!-- Url Pattern to skip application of CSRF protection-->
<SkipUrlPattern>(.)(/images|/css|/js|/docs)(.)</SkipUrlPattern>
</CSRFPreventionFilter>
</CSRFPreventionConfig>
...
</Security>
...
</Server>

  3. Restart the product server.