error:The token should exist in the storage at this point

[nxsmcaspani]

Hello,

Sorry to bother you but I'm struggling with having csrfguard 4.1.3 working on my project.

My need is to implement a csrf protection on a code relying on spring 2.5.5 as well as an in-house MVC framework. As for now CSRF protection is possible directly through Spring Security, I found little option but your library (I don't have the possibility to update the whole project).

I took a look at the discussion and ran the test application as well but I'm afraid it didn' helped me much.

Here's the setup I've made (using Overlay):

************************************************************
* OWASP CSRFGuard properties

* Actions: 
	* org.owasp.csrfguard.action.Redirect
		* Parameter: Page = /myapp/error.html
	* org.owasp.csrfguard.action.Log
		* Parameter: Message = Potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
	* org.owasp.csrfguard.action.Rotate
* Ajax: true
* Enabled: true
* Force Synchronous Ajax: true
* Is Javascript Inject Into Dynamically Created Nodes: false
* Javascript Domain Strict: false
* Javascript Inject Form Attributes: false
* Javascript Inject Get Forms: false
* Javascript Inject Into Attributes: false
* Javascript Inject Into Forms: false
* Javascript Params Initialized: false
* Javascript Referer Match Domain: false
* Javascript Referer Match Protocol: false
* Logical Session Extractor: org.owasp.csrfguard.session.SessionTokenKeyExtractor
* Page Token Synchronization Tolerance: 2000 ms
* Print Config: true
* Prng: java.security.SecureRandom(algorithm: SHA1PRNG, provider: SUN version 1.8)
* Protect: false
* Protected Methods: 
	* DELETE
	* POST
	* GET
	* PUT
* Rotate: true
* Token Holder: org.owasp.csrfguard.token.storage.impl.InMemoryTokenHolder
* Token Length: 32
* Token Name: OWASP-CSRFTOKEN
* Token Per Page: true
* Token Per Page Precreate: true
* Unprotected Pages: 
	* /myapp/error.html
	* /myapp/favicon.ico
	* /myapp/index.html
	* /myapp/do/login/*
	* /myapp/JavaScriptServlet
* Use New Token Landing Page: false
* Validation When No Session Exists: false
************************************************************

Important points are that I've disabled the validation when no session exists as well as injection in URI for GET request.

This is a stateful application, so a JSESSIONID is generated after the login, which is why I tried to unprotect all the login related redirections.

Problem is that despite that, after login in, I'm routed to the error page and in my Jboss (EAP 7.0 if that matters) I can see the following error :

2022-10-25 10:57:56,478 ERROR [org.owasp.csrfguard.action.Log] (default task-62) Potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri:/myapp/do/login/first, error:The token should exist in the storage at this point)

Maybe I'm missing something with the inMemoryTokenHolder ? Or is there any compatibility issue with jboss application server ?

Thank you for your help

[forgedhallpass]

Hello @nxsmcaspani

I took a look at the discussion and ran the test application as well but I'm afraid it didn't helped me much.

What do you mean by did not help much? Based on the output it seems that you should have managed to start the test web application. If you open it in a browser on port 8080, you should be able to play around with it and see how it behaves.

"The token should exist in the storage at this point"

In case of a stateful application, CSRFGuard defaults to the SessionTokenKeyExtractor implementation. You've either received the error because:

1. there was no servlet container session created, hence a ContainerSession could not be created

• make sure you've mapped the filter correctly and the order is right
• put a break point in the following method and see if you have a valid JSESSIONID at that point:

  www-project-csrfguard/csrfguard/src/main/java/org/owasp/csrfguard/CsrfValidator.java

  Line 196 in 7fe655c

  private boolean isTokenValidInRequest(final HttpServletRequest request, final HttpServletResponse response, final String resourceIdentifier) {

2. or the sessionCreated method from the CsrfGuardHttpSessionListener was not invoked for some reason.

• make sure to also add the csrfguard-extension-session dependency to your project
• and reference the listener in your web.xml (

  www-project-csrfguard/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/web.xml

  Line 22 in 11d57c7

  <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>

  )