How to expose a .properties file to spring-contex in openmrs-core

Hello people!

It’s two days now since I started adding OWASP CSRFGuard into openmrs-core because this library provides better functionality than in the draft TRUNK-6041: Added csrf Token to user session by jnsereko · Pull Request #173 · openmrs/openmrs-module-legacyui · GitHub

However, i am getting an error SEVERE: Exception sending context initialized event to listener - Pastebin.com which i think i caused because CsrfGuardServletContextListener listener is failing to access the Owasp.CsrfGuard.properties. Or either accesses it but fails to process it.

What could be the possible cause of this error?

cc @ibacher @dkayiwa @burke @mozzy @reagan @tendomart and anyone willing to help

Below are my additions…

pom.xml

<dependency>
	<groupId>org.owasp</groupId>
	<artifactId>csrfguard</artifactId>
	<version>owaspCsrfGuardVersion</version>
</dependency>
<dependency>
	<groupId>org.owasp</groupId>
	<artifactId>csrfguard-extension-session</artifactId>
	<version>owaspCsrfGuardVersion</version>
</dependency>
<dependency>
	<groupId>org.owasp</groupId>
	<artifactId>csrfguard-jsp-tags</artifactId>
	<version>owaspCsrfGuardVersion</version>
</dependency>
...
<owaspCsrfGuardVersion>4.0.0</owaspCsrfGuardVersion>

webapp/pom.xml (same as above without the version property)

web.xml

	<context-param>
		<param-name>Owasp.CsrfGuard.Config</param-name>
		<param-value>classpath:Owasp.CsrfGuard.properties</param-value>
	</context-param>
.........
    <listener>
		<listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class>
	</listener>

	<listener>
		<listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class>
	</listener>

	<filter>
		<filter-name>CSRFGuard</filter-name>
		<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
	</filter>

	<context-param>
		<param-name>Owasp.CsrfGuard.Config.Print</param-name>
		<param-value>true</param-value>
	</context-param>

	<filter-mapping>
		<filter-name>CSRFGuard</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<servlet>
		<servlet-name>JavaScriptServlet</servlet-name>
		<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
		<init-param>
			<param-name>inject-into-attributes</param-name>
			<param-value>true</param-value>
		</init-param>
	</servlet>

	<servlet-mapping>
		<servlet-name>JavaScriptServlet</servlet-name>
		<url-pattern>/JavaScriptServlet</url-pattern>
	</servlet-mapping>

WEB-INF/Owasp.CsrfGuard.properties

org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.JavaLogger
org.owasp.csrfguard.configuration.provider.factory=org.owasp.csrfguard.config.overlay.ConfigurationAutodetectProviderFactory
org.owasp.csrfguard.Enabled=true
org.owasp.csrfguard.Protect=true`
org.owasp.csrfguard.ValidateWhenNoSessionExists=true
org.owasp.csrfguard.Ajax=true
org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log
org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, method:%request_method%, uri:%request_uri%, error:%exception_message%)
org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect
org.owasp.csrfguard.action.Redirect.Page=%servletContext%/error.html
org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate
org.owasp.csrfguard.TokenName=OWASP-CSRFTOKEN
org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN
org.owasp.csrfguard.TokenLength=32
org.owasp.csrfguard.PRNG=SHA1PRNG
org.owasp.csrfguard.PRNG.Provider=SUN
org.owasp.csrfguard.Config.Print=true
org.owasp.csrfguard.JavascriptServlet.sourceFile= 
org.owasp.csrfguard.JavascriptServlet.domainStrict=true
org.owasp.csrfguard.JavascriptServlet.cacheControl=private, maxage=28800
org.owasp.csrfguard.JavascriptServlet.injectIntoForms=true
org.owasp.csrfguard.JavascriptServlet.injectGetForms=true
org.owasp.csrfguard.JavascriptServlet.injectFormAttributes=true
org.owasp.csrfguard.JavascriptServlet.injectIntoAttributes=true
org.owasp.csrfguard.JavascriptServlet.xRequestedWith=OWASP CSRFGuard Project
org.owasp.csrfguard.configOverlay.hierarchy=classpath:Owasp.CsrfGuard.properties

first of all,do you need all these three dependencies that you are trying to add?

did you correctly specify the location of your .properties file

try changing this

<context-param>
		<param-name>Owasp.CsrfGuard.Config</param-name>
		<param-value>classpath:Owasp.CsrfGuard.properties</param-value>
	</context-param>

to this


<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>/WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param>

did you get a successful build on introducing the library before any code changes ?

Can you also share the full PR?

Yes @herbert24 I need them otherwise I will get java.lang.ClassNotFoundException: org.owasp.csrfguard.CsrfGuardHttpSessionListener

Yes @tendomart, the build was successful on adding the org.owasp.csrfguard before and after making any configurations. The errors i get are from starting the sdk wiith core watched.

Have you tried the slight path change above ?

The sdk is starting with the change.

@tendomat i think its now reading the Owasp.CsrfGuard.properties file but there is some other broken configuration. org.owasp.csrfguard.LogicalSessionExtractor is missing from the configuration! - Pastebin.com

Am going to first look through the broken config. Thank you so much

@tendomat, i have solved the config error, am left with correct configuration redirections

Good to know , you’re unblocked. :relaxed: :relaxed:

1 Like