CSRF Prevention
|
Этот раздел перенесён из документации Camunda 7 и в дальнейшем будет доработан с учётом особенностей OpenBPM Engine |
A CSRF filter is enabled by default, validating each modifying request performed through the webapps. The filter implements a (per-session) Synchronization Token method for CSRF validation with an optional Same Origin with Standard Headers verification.
In Spring Boot Starter, the configuration needs to be made in the application.yaml.
Please read more about it here.
If you would like to enable the additional Same Origin with Standard Headers verification, the targetOrigin init-parameter should be set in the web.xml file of your application. That, and some additional optional initialization parameters are:
<!-- CSRF Prevention filter -->
<filter>
<filter-name>CsrfPreventionFilter</filter-name>
<filter-class>io.openbpm.bpm.webapp.impl.security.filter.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>targetOrigin</param-name>
<param-value>http://example.com</param-value>
</init-param>
<init-param>
<param-name>denyStatus</param-name>
<param-value>404</param-value>
</init-param>
<init-param>
<param-name>randomClass</param-name>
<param-value>java.security.SecureRandom</param-value>
</init-param>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count</param-value>
</init-param>
<init-param>
<param-name>enableSecureCookie</param-name>
<param-value>true</param-value> <!-- default value is false -->
</init-param>
<init-param>
<param-name>enableSameSiteCookie</param-name>
<param-value>true</param-value> <!-- default value is true -->
</init-param>
</filter>
<filter-mapping>
<filter-name>CsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>| Name | Description | targetOrigin |
|---|---|---|
Application expected deployment domain: the domain name through which the webapps are accessed. If nothing is set, the <i>Same Origin with Standard Headers</i> verification is not performed. |
denyStatus |
HTTP response status code that is used when rejecting denied request. The default value is 403. |
randomClass |
The name of the class to use to generate tokens. The class must be an instance of |
entryPoints |
Entry points are URLs that will not be tested for the presence of a valid token. They are used to provide a way to navigate back to the protected apps after navigating away from them. |
enableSecureCookie
<td>
If set to true, the cookie flag <a href="openbpm:engine:webapps/shared-options/cookie-security.adoc#secure">Secure</a> is enabled. The default value is false. </td> |
enableSameSiteCookie
<td>
If set to false, the cookie flag <a href="openbpm:engine:webapps/shared-options/cookie-security.adoc#samesite">SameSite</a> is disabled. The default value is true. The default value of the SameSite cookie is LAX and it can be changed via sameSiteCookieOption configuration property. </td> |
sameSiteCookieOption
<td>
Can be configured either to STRICT or LAX. Note: This property is ignored when enableSameSiteCookie is set to false. </td> |
sameSiteCookieValue
<td>
A custom value for the cookie property. Note: This property is ignored when enableSameSiteCookie is set to false. </td> <tr id="cookie-name"> |
cookieName
<td>
A custom value to change the cookie name. The default value is XSRF-TOKEN. Note: Please make sure to additionally change the cookie name for each webapp (e. g. <a href="openbpm:engine:webapps/cockpit/extend/configuration.adoc#change-csrf-cookie-name">Cockpit </a>) separately. </td> |
Лицензия и атрибуция
Эта документация была создана на базе материала "Camunda 7 Docs" от Camunda, находится под лицензией Creative Commons Attribution-ShareAlike 3.0 Unported License .
Оригинал документации: https://docs.camunda.org