Protection from CSRF attacks during integration with bpm'online
Glossary Item Box
Starting with version 7.10, bpm’online has a mechanism for protection from CSRF attacks. To enable the protection, make additional changes to the integration processes that use DataService or OData.
During the integration with third-party applications, an authentication via the AuthService.svc service must be passed. After the authentication, the AuthService returns an authentication cookie that must be added to the query, as well as a cookie with a CSRF token that must be placed at the query title.
Examples of using authentication cookies are available in the “External requests authentication to bpm'online services”, “OData” and “DataService web service” articles.
Previously, to protect against CSRF attacks, a method had to be created that was called as a response to a SendingRequest context instance event (creating a new HttpWebRequest instance). User authentication and cookie transfer would be executed in this method. After the implementation of protection from CSRF attacks, adding of a CSRF token must be implemented in this method:
static void OnSendingRequestCookie(object sender, SendingRequestEventArgs e) { // Calling method of the "LoginClass" class, that implements user authentication. LoginClass.TryLogin("BPMUserName", "BPMUserPassword"); var req = e.Request as HttpWebRequest; // Adding authentication cookie to the data reaquest. req.CookieContainer = LoginClass.AuthCookie; e.Request = req; // Adding a CSRF token to the request title. CookieCollection cookieCollection = AuthCookie.GetCookies(new Uri(authServiceUri)); string csrfToken = cookieCollection["BPMCSRF"].Value; ((HttpWebRequest)e.Request).Headers.Add("BPMCSRF", csrfToken); }
NOTE
An example of using the OnSendingRequestCookie() method is available in the “Working with bpm'online objects over the OData protocol WCF-client” article.
ATTENTION
Protection from CSRF attacks works only if the Form-authentication is used.
How to disable CSRF attack protection
To disable protection from CSRF attacks, disable the UseCsrfToken setting in the \Web.Config and .\Terrasoft.WebApp\Web.Config files:
<add key="UseCsrfToken" value="true" />
You can also specify service methods which will be called without checking the availability of the CSRF token. Use the DisableCsrfTokenValidationForPaths setting in the .\Web.Config.
Example of disabling CSRF protection for two different methods of different services:
<add key="DisableCsrfTokenValidationForPaths" value="/MsgUtilService.svc/Ping,/AuthService.svc/Login" />
Example of disabling CSRF protection for one service completely:
<add key="DisableCsrfTokenValidationForPaths" value="/ServiceModel/service_name" />