Uploaded image for project: 'mod-login-saml'
  1. mod-login-saml
  2. MODLOGSAML-63

Implement CSRF Prevention

    XMLWordPrintable

Details

    • CP: sprint 91, CP: sprint 92, CP: sprint 113, CP: sprint 114
    • 5
    • Core: Platform

    Description

      Overview

      This is a follow-up to the investigation done for MODLOGSAML-59 / MODLOGSAML-58 and covers implementation of the design outlined on the wiki

      Acceptance Criteria

      • CORS handling is done by the module
      • * tenant-specific origin whitelist
      • * Access-Control-Allow-Origin is set to the origin, not *
      • * Access-Control-Allow-Credentials is set to true for /saml/login
      • CSRF prevention is implemented via RelayState and a associated cookie

      TestRail: Results

        Attachments

          Issue Links

            blocks

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-58 Arbitrary URL Redirection in SAML Response

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-59 Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-876 CORS delegation doesn't work with preflight/OPTIONS requests

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. OKAPI-1016 Support delegate preflight request

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. RMB-656 NPE at startup when an OPTIONS endpoint is defined in RAML

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. STCOR-544 Set credentials: include on fetch to /saml/login

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. STCOR-545 Pass tenant info when making saml login call

            • TBD - To be determined
            • Closed
            relates to

            Task - A task that needs to be done. FOLIO-2956 Spike: Provide guidelines for use of Content Security Policy headers with FOLIO

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Blocked

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-103 CORS Access-Control-Allow-Credentials for /saml/login and /saml/callback

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OKAPI-847 Conditionally defer CORS handling to module when invoked via passthrough API

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                hji Hongwei Ji
                cmcnally Craig McNally
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases