Hi all,
Here are the things I did to add Rack::Csrf (to prevent Cross Site Request Forgery) to RubyCas Server:
#Add to Gemfile:
gem 'rack_csrf'-----------------------
#Add to
config.ruuse Rack::Session::Cookie
use Rack::Csrf---------------------------
# diff in lib/casserver/server.rb
@@ -134,6 +135,10 @@ module CASServer
end
def self.reconfigure!(config)
+ enable :sessions
+ use Rack::Session::Cookie, :secret => "put your token here"
+ use Rack::Csrf, :raise => true
+ set :protection, :except => [:remote_token, :remote_referrer]
config.each do |key, val|
self.config[key] = val
end
----------------------------------
# diff in lib/casserver/views/_login_form.erb
@@ -1,6 +1,7 @@
<%# coding: UTF-8 -%>
<form method="post" action="<%= @form_action || "login" %>" id="login-form"
onsubmit="submitbutton = document.getElementById('login-submit'); submitbutton.value='<%= _
+ <%= Rack::Csrf.tag(env) %>
<table id="form-layout">
<tr>
<td id="username-label-container">
Hope that helps,
Tina