[JBoss JIRA] Resolved: (JBWEB-141) Servlet Filter against CSRF
by Remy Maucherat (JIRA)
[ https://jira.jboss.org/jira/browse/JBWEB-141?page=com.atlassian.jira.plug... ]
Remy Maucherat resolved JBWEB-141.
----------------------------------
Fix Version/s: JBossWeb-3.0.0.Beta6
Resolution: Done
For XSS, if you are talking about a well defined set of patterns, you might be able to create a set of mod_rewrite rules. They should then work just fine with the rewrite valve. If that's not enough, then create a new JIRA on XSS.
> Servlet Filter against CSRF
> ---------------------------
>
> Key: JBWEB-141
> URL: https://jira.jboss.org/jira/browse/JBWEB-141
> Project: JBoss Web
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Reporter: Marc Schoenefeld
> Assignee: Remy Maucherat
> Priority: Minor
> Fix For: JBossWeb-3.0.0.Beta6
>
>
> Cross-Site scripting and cross-site request forgery attacks are common threat to every web application.
> So a common solution offered by the http server is helpful to raise the default protection level.
> A servlet filter will help to
> a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications)
> b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
15 years, 4 months
[JBoss JIRA] Updated: (JBWEB-141) Servlet Filter against CSRF
by Remy Maucherat (JIRA)
[ https://jira.jboss.org/jira/browse/JBWEB-141?page=com.atlassian.jira.plug... ]
Remy Maucherat updated JBWEB-141:
---------------------------------
Summary: Servlet Filter against CSRF (was: Servlet Filter against XSS)
> Servlet Filter against CSRF
> ---------------------------
>
> Key: JBWEB-141
> URL: https://jira.jboss.org/jira/browse/JBWEB-141
> Project: JBoss Web
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Reporter: Marc Schoenefeld
> Assignee: Remy Maucherat
> Priority: Minor
>
> Cross-Site scripting and cross-site request forgery attacks are common threat to every web application.
> So a common solution offered by the http server is helpful to raise the default protection level.
> A servlet filter will help to
> a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications)
> b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
15 years, 4 months
[JBoss JIRA] Updated: (JBWEB-141) Servlet Filter against XSS
by Remy Maucherat (JIRA)
[ https://jira.jboss.org/jira/browse/JBWEB-141?page=com.atlassian.jira.plug... ]
Remy Maucherat updated JBWEB-141:
---------------------------------
Summary: Servlet Filter against XSS (was: Servlet Filter against XSS and CSRF)
I ported a CSRF protection filter that has been added in Tomcat.
> Servlet Filter against XSS
> --------------------------
>
> Key: JBWEB-141
> URL: https://jira.jboss.org/jira/browse/JBWEB-141
> Project: JBoss Web
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Reporter: Marc Schoenefeld
> Assignee: Remy Maucherat
> Priority: Minor
>
> Cross-Site scripting and cross-site request forgery attacks are common threat to every web application.
> So a common solution offered by the http server is helpful to raise the default protection level.
> A servlet filter will help to
> a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications)
> b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
15 years, 4 months
[JBoss JIRA] Created: (JBRULES-2503) Provide more details in documentation on how to convert from XML rules to DRL rules when using XmlPackageReader
by Tihomir Surdilovic (JIRA)
Provide more details in documentation on how to convert from XML rules to DRL rules when using XmlPackageReader
---------------------------------------------------------------------------------------------------------------
Key: JBRULES-2503
URL: https://jira.jboss.org/jira/browse/JBRULES-2503
Project: Drools
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Affects Versions: 5.1.0.M1
Reporter: Tihomir Surdilovic
Assignee: Mark Proctor
Provide more details and an example in documentation on how to convert from XML rules to DRL rules when using XmlPackageReader.
For example:
System.setProperty("drools.schema.validating", "false");
PackageBuilderConfiguration conf = new PackageBuilderConfiguration();
final XmlPackageReader xmlPackageReader = new XmlPackageReader( conf.getSemanticModules() );
xmlPackageReader.read( new InputStreamReader( ReadXmlRules.class.getResourceAsStream( "/myrule.xml" ) ) );
final PackageDescr pkgOriginal = xmlPackageReader.getPackageDescr();
final XmlDumper dumper = new XmlDumper();
final String result = dumper.dump( pkgOriginal );
final DrlDumper drldumper = new DrlDumper();
String resultdrl = drldumper.dump( pkgOriginal );
System.out.println("**** XML Rule: \n" + result);
System.out.println("****************************");
System.out.println("**** DRL Rule: \n " + resultdrl);
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
15 years, 4 months