Adding Rack::Csrf to RubyCas Server

29 views
Skip to first unread message

Tina Tsui

unread,
Nov 2, 2012, 9:48:29 AM11/2/12
to rubycas...@googlegroups.com
Hi all,

Here are the things I did to add Rack::Csrf  (to prevent Cross Site Request Forgery) to RubyCas Server:

#Add to Gemfile:

gem 'rack_csrf'

-----------------------
#Add to config.ru
use Rack::Session::Cookie
use Rack::Csrf


---------------------------
# diff in lib/casserver/server.rb

@@ -134,6 +135,10 @@ module CASServer
     end

     def self.reconfigure!(config)
+      enable :sessions
+      use Rack::Session::Cookie, :secret => "put your token here"
+      use Rack::Csrf, :raise => true
+      set :protection, :except => [:remote_token, :remote_referrer]
       config.each do |key, val|
         self.config[key] = val
       end

 ----------------------------------
# diff in lib/casserver/views/_login_form.erb

@@ -1,6 +1,7 @@
 <%# coding: UTF-8 -%>
 <form method="post" action="<%= @form_action || "login" %>" id="login-form"
       onsubmit="submitbutton = document.getElementById('login-submit'); submitbutton.value='<%= _
+ <%= Rack::Csrf.tag(env) %>
   <table id="form-layout">
     <tr>
       <td id="username-label-container">



Hope that helps,
Tina



Tina Tsui

unread,
Nov 2, 2012, 10:04:45 AM11/2/12
to rubycas...@googlegroups.com
One more change that I left out before

# git diff config.ru

 $:.unshift "#{File.dirname(__FILE__)}/lib"
 require "casserver"
+require "rack/csrf"


Adam Bardsley

unread,
Nov 2, 2012, 12:12:20 PM11/2/12
to rubycas...@googlegroups.com
Looks very useful but had a thought. Would it make sense to move the token for this to the confit and generate a random if missing at startup?

--
Digital Services Development Manager
Adam Bardsley

--
You received this message because you are subscribed to the Google Groups "RubyCAS" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubycas-server/-/v9khaeCGskgJ.
To post to this group, send email to rubycas...@googlegroups.com.
To unsubscribe from this group, send email to rubycas-serve...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubycas-server?hl=en.

Tina Tsui

unread,
Nov 5, 2012, 1:40:15 PM11/5/12
to rubycas...@googlegroups.com
Yes, that should be fairly easy to do.

just add  the following line in config.yml:

csrf_secret_token:  aaaaa

and change in lib/casserver/server.rb

use Rack::Session::Cookie, :secret => config[:csrf_secret_token]

Of course, make sure your config.yml is not world readable.
Reply all
Reply to author
Forward
0 new messages