...
Login forms can be susceptible to CSRF[2] attacks. In these cases the attacker attempts to trick the victim into login into logging in as themselves (the attacker). The attacker could then:
...
The anti-csrf token is generated on-entry
(or on-render) to a view state, and placed inside the SWF viewScope. This could be added on-render if required.For example in the DisplayUsernamePasswordPage view-state of the authn-password-flow.xml:
Code Block |
---|
<on-entry> <evaluate expression="flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.CsrfTokenManager').generateCsrfToken()" result="viewScope.csrfToken" /> </on-entry> |
Still inside the DisplayUsernamePasswordPage view-state, the anti-csrf token stored in the viewScope is then must be compared to that returned as a HTTP parameter from the view. This needs to happen (because the token is bound to the viewScope) inside the view-state
before the proceed
transition is executed and the state exited. Hence, a ValidateCsrfToken
action is nested inside the proceed
transition:
...