Versions Compared

Old Version 40

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sometimes views do not require CSRF protection e.g. they do not submit sensitive information back to the IdP.  Other times, views are involved in user flows that can not meaningfully benefit from the synchroniser token CSRF protection pattern employed by the IdP e.g. an external authentication servlet (see CSRF FlowExecutionListener testing for External Authentication). Such views can be excluded by annotating a the view-state with a CSRF excluded metadata attribute in the flow XML configuration filesfile. For example, to exclude an external authentication servlet:

...

Code Block
languagexml
linenumberstrue
<view-state id="ExternalTransfer" view="externalRedirect:#{T(net.shibboleth.idp.authn.ExternalAuthentication).getExternalRedirect(flowRequestContext.getActiveFlow().getApplicationContext().getBean('shibboleth.authn.External.externalAuthnPathStrategy').apply(opensamlProfileRequestContext), flowExecutionContext.getKey().toString())}">
        <attribute name="csrf_excluded" value="true" type="boolean"/> <!-- excludes attribute here -->
  ...
</view-state>

When enabling CSRF protection, the idp.csrf.include.viewstates property should be uncommented, and the views you want to protect listed. At its simplest, the login page (DisplayUsernamePasswordPage view-state) should be included. However, the following can benefit from CSRF protection. It is recommended the following views (listed by view-state ID, of which there maybe more than one definition) are excluded:

ViewStateID
ExternalTransfer
RunSPNEGO
ExpiringPassword
DisplayExpiringPasswordView
LogoutPropagateView

ShowServiceLogoutView

LogoutView

It is recommended the following view-states are not excluded.

ViewStateIDview template (that needs CSRF token embedded)
DisplayUsernamePasswordPagelogin.vm
LocalStorageReadclient-storage-read.vm, read.vm
LocalStorageWritelocal-storage-write.vm, write.vm
DisplayTermsOfUsePageterms-of-user.vm
DisplayAttributeReleasePageattribute-release.vm
PromptForPasswordsunlock-keys.vm
ImpersonateViewimpersonate.vm
DisplayDuoWebViewduo.vm

If individual view states are configured, the excludes list is of little use and can be left commented out.

Alternatively, the idp.csrf.include.viewstates property should be set to all views '*' and the set of views to exclude should be listed. In these cases, it is recommended the following views are excluded:

LogoutView
ViewStateID
ExternalTransfer
RunSPNEGO
ExpiringPassword
DisplayExpiringPasswordView
LogoutPropagateView

ShowServiceLogoutView


Changes To Flows

To cleanly handle the InvalidCSRFTokenException the CSRFFlowExecutionListener throws, a global on-exception transition must be registered in appropriate flows, in addition to a corresponding action/end state.

...