CSRF Protection Configuration for Clarity
search cancel

CSRF Protection Configuration for Clarity

book

Article ID: 4017

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

In a recent security audit by a third-party Security consultancy highlighted that the web application (Clarity) did not offer any protection against Cross-site Request Forgery attacks. This was confirmed due to the fact that no unique token was supplied in every request. The replaying of a request i.e. editing a user account is repeatable numerous times without any requirement for a unique token bound to "sessionid."

Environment

All Support Clarity Release 

Cause

Lack of token based validation in application and this configuration is available since Clarity 13.x 

Resolution

The prevention of CSRF attacks is handled through the use of Session Tokens. In order to configure the CSRF Protection and mitigate the vulnerability please follow the below steps using the below possible combinations 

Clarity  has configurable set of CSRF strategies since Clarity 13.2. The allowed configurations are:

  • none - No CSRF token is generated nor is any request validated. This is the default setting for on-premise installations. Recommended if Clarity is behind your corporate firewall. Upgrading customers will have this setting automatically.
  • request - This strategy generates a new token for each request and validates against a limited size cache in the user session. Due to the possibility of cache exhaustion, this strategy can lead to false-positive validation errors, especially for users who work with multiple tabs open in Clarity.
  • session - a single token is generated for the user session and that is used for validation. This is the recommended strategy customers installations

Configuration is done by manually setting an attribute of the applicationServer element in the properties.xml file:

  • Stop all the clarity services and take a copy of properties.xml found under clarity_home\config folder
  • Edit properties.xml and add tokenCacheStrategy="session" to the application server element in the file
    • Use this sample as an example of where to edit the setting:
       <applicationServer vendor="tomcat" useLdap="false" home="/opt/tomcat" adminPassword="xxxx" externalUrl="" tokenCacheCapacity="0" tokenCacheStrategy="session" disableApiAccess="false" notifyThreadPool="20">
  • Restart all the clarity services and make the change to all the servers in cluster