(Access Manager 5.0 Service Pack 1 and later)
The CSRFDetectionFilter filter verifies all requests to detect and mitigate any Cross-Site Request Forgery (CSRF) attempts. By default, this filter is disabled.
This filter verifies for a session-wide anti-CSRF token that is expected in each request as a form parameter or a query parameter. If the token is not found, the filter matches the referrer header in the request with the server host and any configured exclusions.
When CSRF is detected in the request, Identity Server throws the HTTP 400 Bad Request error. When logging is enabled, you can check the reasons in the log file (catalina.out).
Perform the following steps to enable this filter:
Open the Identity Server web.xml file.
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager 5.0 Administration Guide.
Locate and uncomment the following snippet:
<!--<filter> <filter-name>CSRFDetectionFilter</filter-name> <filter-class>com.novell.nidp.servlets.filters.csrf.CSRFDetectionFilter</filter-class> <description> This filter is used to detect CSRF attacks in NIDS, for an authenticated session</description> <init-param> <param-name>active</param-name> <param-value>False</param-value> </init-param> <init-param> <param-name>exclude</param-name> <param-value>metadata</param-value> </init-param> <init-param> <param-name>RefererWhitelist</param-name> <param-value></param-value> </init-param> <init-param> <param-name>RequestWhitelist</param-name> <param-value>GET</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFDetectionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
The following table lists parameters required for this filter:
Parameter |
Description |
---|---|
active |
You must set this to True to enable the filter. By default, this is set to False. |
exclude |
Specify the coma-separated paths you want to exclude in the verification by the CSRFDetectionFilter filter. For example, <init-param> <param-name>exclude</param-name> <param-value>metadata,saml2</param-value> </init-param> |
RefererWhitelist |
Specify the coma-separated domain or hostname that you want to exclude in the verification by the CSRFDetectionFilter filter. For example, <init-param> <param-name>RefererWhitelist </param-name> <param-value>www.test.com,www.idp.com</param-value> </init-param> |
RequestWhitelist |
Specify the coma-separated REST methods that you want to exclude in the verification by the CSRFDetectionFilter filter. By default, GET is included in the filter. For example, <init-param> <param-name>RequestWhitelist </param-name> <param-value>GET,POST</param-value> </init-param> |
Save the file.
To Enable the CSRF Verification for the Password Class and TOTP Class
Access Manager provides an option LOGIN CSRF CHECK to verify CSRF attempts for the Password class and TOTP class. This is applicable for Access Manager default pages. If you have modified any page, you must add the anti-CSRF token to the page.
For information about how to enable this property, see Managing a Cluster of Identity Servers > Configuring Identity Server Global Options
in the NetIQ Access Manager 5.0 Administration Guide.