[MRM-1445] disable referrer check by default

author Brett Porter <brett@apache.org>

Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)

committer Brett Porter <brett@apache.org>

Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)
author Brett Porter <brett@apache.org>
Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)
committer Brett Porter <brett@apache.org>
Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)
diff --git a/archiva-docs/src/site/apt/adminguide/customising-security.apt b/archiva-docs/src/site/apt/adminguide/customising-security.apt

index ffc7ed41e3487a44f45aa624d468acc873366dbc..98ce6d51f0a2739aa385f34b37a308d8c6e7071e 100644 (file)
--- a/archiva-docs/src/site/apt/adminguide/customising-security.apt
+++ b/archiva-docs/src/site/apt/adminguide/customising-security.apt
@@ -48,3 +48,19 @@ security.policy.password.rule.nowhitespace.enabled=true
   can be found in:
   <<<apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml>>>
  
+* Additional CSRF Prevention
+
+  To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current
+  site.
+
+  <Note:> This is only a generic solution that may prevent some types of attacks but not others. It may cause problems
+  with certain user agents. By default, the check is off.
+
+  To enable the check, change the following configuration value in the <<<struts.xml>>> file in the <<<WEB-INF/classes>>>
+  directory of the web application (2 locations):
+
+----
+<interceptor-ref name="redbackSecureActions">
+  <param name="enableReferrerCheck">false</param>
+</interceptor-ref>
+----
+\ No newline at end of file
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml

index ce7d090b9d53e8df1ee4219ffc68958f22ab6c3a..7c5c09ffde182978adcdb096e06f4ed7d577a948 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml
@@ -42,7 +42,7 @@
            <param name="blocked">externalResult</param>
          </interceptor-ref>
          <interceptor-ref name="redbackSecureActions">
-          <param name="enableReferrerCheck">true</param>
+          <param name="enableReferrerCheck">false</param>
          </interceptor-ref>
          <interceptor-ref name="redbackPolicyEnforcement"/>
          <interceptor-ref name="configuration"/>
@@ -60,7 +60,7 @@
          <interceptor-ref name="defaultStack"/>
          <interceptor-ref name="redbackPolicyEnforcement"/>
          <interceptor-ref name="redbackSecureActions">
-          <param name="enableReferrerCheck">true</param>
+          <param name="enableReferrerCheck">false</param>
          </interceptor-ref>
          <interceptor-ref name="validation">
            <param name="excludeMethods">input,back,cancel,browse</param>
author	Brett Porter <brett@apache.org>
	Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)
committer	Brett Porter <brett@apache.org>
	Wed, 15 Dec 2010 03:58:25 +0000 (03:58 +0000)
archiva-docs/src/site/apt/adminguide/customising-security.apt		patch \| blob \| history
archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml		patch \| blob \| history