Skip to main content

How to Enable cross-site request forgery protection in WCS

Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. Web Sphere Commerce accepts this request as valid, as proper session cookies exist as part of the request.

When cross-site request forgery protection is enabled, a designated URL parameter that is called authToken is required to be included as part of the request. The parameter value is generated by WebSphere Commerce and passed to the page in a request attribute with the same name.

The authToken parameter is available only on SSL protected pages because this token must not be apparent. Only sensitive URLs that use SSL should require this protection.

Identify the action to protect. For example, UserRegistrationAdd.

Open the Struts configuration file where the action is defined. Add a property to the action. Name the property, csrfProtected 

For eg:
<action
parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationAddCmd
path="/UserRegistrationAdd" type="com.ibm.commerce.struts.BaseAction">
<set-property property="https" value="0:1"/>
<set-property property="authenticate" value="0:0"/>
<set-property property="csrfProtected" value="10101:1"/>
</action>

The value attribute of the set-property element is a comma-separated list of <storeId>:<property value>. The request is protected under CSRF protection when it has a property value of 1.

Edit the JSP file that invokes this action to include the authToken URL parameter.
For example:
<input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>

If the JSP file is cached, then the part of the page that specifies the authToken should be included in a JSP fragment that is not cached.

You can add CSRF protection for a command within in a business user tool, such as WebSphere Commerce Accelerator. To add the protection, modify the associated JSP file and modify the savePanelData() method to add the authToken. Your modified code can resemble the following code:

parent.addURLParameter("authToken", "${authToken}");

Restart the WebSphere Commerce Server or update the StrutsConfigRegistry registry component.
When a cross-site request forgery violation is detected, the request is changed to go to the CrossSiteRequestForgeryErrorView view. That is, the view is shown when requests that are configured to be protected do not include the authToken parameter.

Cross site request forgery error while submitting a form

When using 'AjaxPersonChangeServiceAddressAdd' to add a new address for the person. But after submitting the getting cross site request forgery error and in console below line is appearing.

com.ibm.commerce.browseradapter.AbstractHttpBrowserAdapter preInvokeAjaxCommand(ViewCommandContext context, HttpRequestAttributes httpRequestAttributes) CMN0409E: The following error occurred during processing: "{0}".

Edit the JSP file that invokes this action to include the authToken URL parameter.

<input type="hidden" name="authToken" value="${authToken}" id="WC_UserRegistrationUpdateForm_FormInput_authToken_In_Register_1"/>

If you want to remove the  cross site request forgery protection  remove the below property from struts-config-ext files.

<set-property property="csrfProtected" value="10051:1,10951:1,11001:1,11051:1"/>


Labels:

Comments

Post a Comment

Popular posts from this blog

How to read applied promotions codes

The below snippet will give you to read the promotions codes which are applied to order number, String orderId = "978593958"; OrderKey orderKey = new OrderKey(new Long(orderId)); PromotionArgumentSessionBeanPersistenceManager promoManager = new PromotionArgumentSessionBeanPersistenceManager(); PromotionArgument promArg = promoManager.load(orderKey); Iterator prmoExeRecds = promArg.getPromotionExecutionRecords(); while(prmoExeRecds.hasNext()) { PromotionExecutionRecord promotionExeecutionRecord = (PromotionExecutionRecord) prmoExeRecds.next(); Promotion promotion = promotionExeecutionRecord.getPromotion(); System.out.println("Name: " + promotion.getName()); System.out.println("Admin description: " + promotion.getDescription(commandContext.getLocale(), com.ibm.commerce.marketing.promotion.Description.SHOPPER_SHORT_DESC)); }
Post a Comment
Read more

How to do Email Configurations in Web sphere Commerce

Web sphere commerce allows to send email messages to customers by making use of the below mentioned steps. Create the JSP which will be used for generating contents of the email  For e.g.: SendEmail.jsp Create View for the JSP in Struts-Config-Ext.xml Make an Entry in Struts-Config-Ext.xml file for .jsp as below < action path='/SendEmailView' type='com.ibm.commerce.struts.BaseAction'>     < set-property property ='authenticate' value ='10001:1'/>      < set-property property ='https' value ='10001:1'/> < /action> < forward name="SendEmailView /10001/-3" path="/< location of JSP file >/ TestEmail.jsp" className="com.ibm.commerce.struts.ECActionForward">     < set-property property="implClassName"     value="com.ibm.commerce.messaging.viewcommands.MessagingViewCommandImpl"/>     < set-property property="int
Post a Comment
Read more

IBM Announces version 9 of WebSphere Commerce!

What’s new in Version 9 includes information about new functionality and changes in existing functionality from previous WebSphere Commerce Version to the modernized WebSphere Commerce Version 9 release: Micro services architecture , with lightweight, self-contained, distributed servers, supports horizontal scaling, parallel development, and utilization of modern, open source tools. Docker containers deliver key benefits for DevOps , including deployment automation, delivery acceleration, and application portability. Flexible deployment options for  Docker containers  gives IT organizations more infrastructure choices for e-commerce workloads, including all cloud options: private, public, or hybrid deployment. Evolution of the technology stacks  makes customization of the brand and business user experience more efficient and cost effective. Key changes include adoption of lightweight IBM WebSphere Liberty, replacement of Enterprise JavaBeans™ (EJBs) with Java™ Persistence API (J
Post a Comment
Read more