Thursday, September 15, 2011

Rails 3.1 CSRF token authenticity for JSON Content Type


When designing a REST API for one of my resources, I am getting a warning message like this:

> WARNING: Can't verify CSRF token authenticity


in the logs. This should NOT be happening, as I am accessing my resource using a JSON API through a POST request. The following rails file:

rails/actionpack/lib/action_controller/metal/request_forgery_protection.rb

clearly states

"Only HTML and JavaScript requests are checked, so this will not protect your XML API (presuably you'll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent."

In addition to this message in the logs, the rails code also "resets" my non-existant session. Doing a little digging shows a problem in this function:

Where there is no check on the content type. By the way, you can easily set the content type of your request in a CURL request like this:
> curl -H "Content-Type: application/json" -d '{"email":abc@xyz.com", "password":"xyzc123"}' http://localhost:3000/sessions.json -i
Comparing the same code to Rails 3.0:


def verified_request?
        !protect_against_forgery? || request.forgery_whitelisted? ||
          form_authenticity_token == params[request_forgery_protection_token]
end
I see the additional check "request.forgery_whitelisted" which ends up checking for "JSON" and "XML" content types and returns true. I plan to submit a bug and in the mean time, you can work around by overriding

in your controller or application controller. Good luck!


Thursday, December 9, 2010

Multicast Firewall Load Sharing on Checkpoint ClusterXL Firewalls with Cisco Devices

Configuring multicast load sharing on Checkpoint Firewalls running ClusterXL when the routers/switches on either side of the firewalls are Cisco devices has always been a mystery. Checkpoint has support articles on how to configure them but there is no straight forward direction on their website or documentation. The documentation points to older Cisco models. This techtorial will try to give a brief overview of the commands and procedure involved in getting multicast load sharing working.