TRUNK-6051 Prevent CSRF token caching

dkayiwa · dkayiwa · commit 40e464b97fdb · 2022-01-25T20:41:51.000+03:00
diff --git a/web/src/main/java/org/openmrs/web/filter/OpenmrsFilter.java b/web/src/main/java/org/openmrs/web/filter/OpenmrsFilter.java
@@ -94,11 +94,9 @@ protected void doFilterInternal(HttpServletRequest httpRequest, HttpServletRespo
 		// set the locale on the session (for the servlet container as well)
 		httpSession.setAttribute("locale", userContext.getLocale());
 		
-		//TODO We do not cache pages that have CSRF tokens. There are smarter ways of dealing
-		//with this, like loading just the CSRF token with an AJAX request and replacing the 
-		//form field value with it, and others. But i did not go into these details. So for now,
-		//i have just done the simplest which is turning off caching for pages that have CSRF tokens.
-		if (httpRequest.getParameter("OWASP-CSRFTOKEN") != null) {
+		//TODO We do not cache the csrfguard javascript file because it contains the
+		//csrf token that is dynamically embedded in forms.
+		if (httpRequest.getRequestURI().endsWith("csrfguard")) {
 			httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
 			httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0.
 			httpResponse.setHeader("Expires", "0"); // Proxies.
diff --git a/webapp/src/main/webapp/WEB-INF/web.xml b/webapp/src/main/webapp/WEB-INF/web.xml
@@ -134,16 +134,6 @@
         <filter-name>multipartFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
-    
-	<filter>
-        <filter-name>CSRFGuard</filter-name>
-        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
-    </filter>
-    <filter-mapping>
-        <filter-name>CSRFGuard</filter-name>
-        <!-- Filter any URL using CSRFGuard -->
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
 	
 	<!--  Should be the second filter so that all requests are first wrapped by a 
 	      hibernate filter (to help with lazy loading) -->
@@ -173,6 +163,16 @@
 		<dispatcher>INCLUDE</dispatcher>
 	</filter-mapping>
 	
+	<filter>
+        <filter-name>CSRFGuard</filter-name>
+        <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>CSRFGuard</filter-name>
+        <!-- Filter any URL using CSRFGuard -->
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+	
 	<filter>
 		<filter-name>ModuleFilter</filter-name> 
 		<filter-class>org.openmrs.module.web.filter.ModuleFilter</filter-class> 
