CSRF Validation/Verification doesn't work on exported war builds - while using OWASP CSRFGuard

Question

I have a web application built using Spring MVC framework. I wanted to fix the CSRF vulnerability without using Spring Security. As I have other custom code is enabled for user authentication/ authorization. Thus I decided to use the OWASP CSRF Guard library (https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project).

I have followed exactly like the test project but when I run it locally from Eclipse as a debug build it works perfectly without any issue. But after I export the war and host it on production server the CSRF Filter is not intercepting the requests.The token CSRF injection is happening without an issue from the JSP/JS pages. But the verification is not happening at all on the controller or filter side.

When the app start from Eclipse the properties file is getting printed but on the production server log nothing is getting printed.

web.xml

<listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
   </listener>

   <listener>
    <listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
   </listener>

   <filter>
    <filter-name>CSRFGuard</filter-name>
    <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
   </filter>

   <context-param>
    <param-name>Owasp.CsrfGuard.Config.Print</param-name>
    <param-value>true</param-value>
   </context-param>

   <filter-mapping>
    <filter-name>CSRFGuard</filter-name>
    <url-pattern>/*</url-pattern>
   </filter-mapping>

   <servlet>
    <servlet-name>JavaScriptServlet</servlet-name>
    <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
    <init-param>
        <param-name>inject-into-attributes</param-name>
        <param-value>true</param-value>
    </init-param>
   </servlet>

   <servlet-mapping>
    <servlet-name>JavaScriptServlet</servlet-name>
    <url-pattern>/JavaScriptServlet</url-pattern>
   </servlet-mapping>

Owasp.CsrfGuard.properties

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled=true
org.owasp.csrfguard.Protect=true`
org.owasp.csrfguard.ValidateWhenNoSessionExists=true
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print=true
org.owasp.csrfguard.JavascriptServlet.sourceFile= 
org.owasp.csrfguard.JavascriptServlet.domainStrict=true
org.owasp.csrfguard.JavascriptServlet.cacheControl=private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.injectIntoForms=true
org.owasp.csrfguard.JavascriptServlet.injectGetForms=true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes=true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes=true
org.owasp.csrfguard.JavascriptServlet.xRequestedWith=OWASP CSRFGuard Project
org.owasp.csrfguard.configOverlay.hierarchy=classpath:Owasp.CsrfGuard.properties, classpath:Owasp.CsrfGuard.overlay.properties
org.owasp.csrfguard.configOverlay.secondsBetweenUpdateChecks=60

Owasp.CsrfGuard.overlay.properties

org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationOverlayProviderFactory

org.owasp.csrfguard.JavascriptServlet.refererPattern = http://localhost:8800.*
org.owasp.csrfguard.protected.somepage=/ROOT/somepage.htm 

So what I did was I disabled the csrf token header from front-end for this "/ROOT/somepage.htm " resource and tried to see if its failing after enabling the CSRF protection. It failed on my local machine, but it worked without an error on production machine.

Now I am confused why it worked on local machine and after I export the war it didnt work at all.

This is my second day trying to figure out the issue. If someone can light me up on this will be highly appreciated :)

Answer 1

I have found the answer finally :D

I have to replace the following line

org.owasp.csrfguard.protected.somepage=/ROOT/somepage.htm 

with this

org.owasp.csrfguard.protected.somepage=%servletContext%/somepage.htm 

This worked like a charm!