This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 645d419574f24ab7e9218ec9ad7373fb98601b06
Merge: 768353a 8ee522e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Apr 4 17:52:06 2020 +0200
Merge branch 'trunk' into POC-for-CSRF-Token-OFBIZ-11306
applications/datamodel/DATAMODEL_CHANGES.md | 15 +++++++++++++++
framework/security/config/security.properties | 3 +--
.../template/includes/AjaxAutocompleteOptions.ftl | 2 +-
3 files changed, 17 insertions(+), 3 deletions(-)
diff --cc framework/security/config/security.properties
index 525b247,b65cc24..e019061
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@@ -155,22 -155,3 +155,21 @@@ security.token.key=security.token.ke
# -- By default the SameSite value in SameSiteFilter is strict. This allows
to change it to lax if needed
SameSiteCookieAttribute=
-
+# -- The cache size for the Tokens Maps that stores the CSRF tokens.
+# -- RemoveEldestEntry is used when it's get above csrf.cache.size
+# -- Default is 5000
+# -- TODO: separate tokenMap from partyTokenMap
+csrf.cache.size=
+
+# -- Parameter name for CSRF token. Default is "csrf" if not specified
+csrf.tokenName.nonAjax=
+
+# -- The csrf.entity.request.limit is used to show how to avoid cluttering
the Tokens Maps cache with URIs starting with "entity/"
+# -- It can be useful with large Database contents, ie with a large numbers
of tuples, like "entity/edit/Agreement/10000, etc.
+# -- The same principle can be extended to other cases similar to "entity/"
URIs (harcoded or using similar properties).
+# -- Default is 3
+csrf.entity.request.limit=
+
+# csrf defense strategy. Default is
org.apache.ofbiz.security.CsrfDefenseStrategy if not specified.
+# use org.apache.ofbiz.security.NoCsrfDefenseStrategy to disable CSRF check
totally.
- csrf.defense.strategy=
++csrf.defense.strategy=
