Remove CSRFGuard components from webapp configs

[Zeta201]

Summary by CodeRabbit

• Chores
  • Removed CSRF protection components from the application configuration.

[coderabbitai]

Walkthrough

The patch removes CSRFGuard-related security components from configuration files across the distribution and jaggery apps feature modules. Specifically, it eliminates the CSRFGuard filter-mapping from the pom.xml property and entirely removes CSRF listener, filter, filter mapping, and servlet configuration blocks from jaggery.conf.

Changes

Cohort / File(s)	Summary
Distribution POM Configuration modules/distribution/pom.xml	Removes CSRFGuard filter-mapping reference from the security-header-filter-mapping-is-token property value.
Jaggery Configuration modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf	Removes CSRFGuard-related configuration blocks including HTTP session listener, filter class, filter mapping, and JavaScriptServlet servlet/mapping declarations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, hop, away goes guard so strict,
CSRF chains now lift,
Config cleaned, configuration light,
Security flows take flight! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change in the pull request: removing CSRFGuard components from webapp configuration files (jaggery.conf and pom.xml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@modules/distribution/pom.xml`:
- Line 218: The PR removed the CSRFGuard filter-mapping (the web.xml
filter-mapping change reflected by the removed
security-header-filter-mapping-is-token property), but left CSRFGuard artifacts
in the build and app configs; either fully remove the remaining CSRFGuard pieces
(delete the pom.xml replace operations that touch
Owasp.CsrfGuard.Carbon.properties and remove the CsrfGuardServletContextListener
registration and Owasp.CsrfGuard.Config entries in
modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf)
or add a concise code comment/PR note explaining why CSRFGuard filter-mapping is
removed but those pom.xml replace rules and jaggery.conf listener registrations
must remain, so reviewers can understand the intentional scope.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0ee62eff-b0c7-4c56-b77b-b4738f8bdcd6

📥 Commits

Reviewing files that changed from the base of the PR and between 25533d5 and 5a38d04.

📒 Files selected for processing (2)

• modules/distribution/pom.xml
• modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf

💤 Files with no reviewable changes (1)

• modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Search for remaining CSRFGuard references in jaggery.conf files and other config files

echo "=== CSRFGuard references in jaggery.conf files ==="
fd -t f 'jaggery.conf' --exec grep -l -i 'csrf' {} \; 2>/dev/null | head -20

echo ""
echo "=== CSRFGuard listener/filter declarations in jaggery.conf files ==="
fd -t f 'jaggery.conf' --exec grep -A2 -B2 -i 'csrfguard' {} \; 2>/dev/null

echo ""
echo "=== CSRFGuard references in pom.xml files ==="
rg -l -i 'csrfguard' --glob '*.xml' --glob '!target/*' | head -20

Repository: wso2/product-is

Length of output: 693

---

🏁 Script executed:

head -n 350 modules/distribution/pom.xml | tail -n +310

Repository: wso2/product-is

Length of output: 8238

---

🏁 Script executed:

# Search for CSRFGuard in OSGi/component configurations
rg -i 'csrfguard' --type-list | head -5
fd -t f -e 'xml' | xargs grep -l 'csrfguard\|CsrfGuard' 2>/dev/null | grep -v target | head -20

Repository: wso2/product-is

Length of output: 494

---

🏁 Script executed:

# Search for all CSRFGuard references across all file types
echo "=== All CSRFGuard references in codebase ==="
rg -i 'csrfguard' --type-list 2>&1 | head -5 || true
rg -i 'csrfguard' -l 2>/dev/null | head -30

echo ""
echo "=== Check if CSRFGuard appears in component descriptors or manifests ==="
fd -t f -e 'xml' | xargs grep -l 'CsrfGuard' 2>/dev/null | head -20

echo ""
echo "=== Check OSGi component configs ==="
fd -t f \( -name 'component.xml' -o -name 'MANIFEST.MF' \) | xargs grep -l -i 'csrf' 2>/dev/null | head -10

Repository: wso2/product-is

Length of output: 932

---

🏁 Script executed:

# Get exact line numbers for CSRFGuard replacements in pom.xml
echo "=== Line numbers with CSRFGuard references in pom.xml ==="
rg -i 'csrfguard' modules/distribution/pom.xml -n

echo ""
echo "=== Exact content around the replace operations ==="
sed -n '328,335p' modules/distribution/pom.xml

Repository: wso2/product-is

Length of output: 4933

---

Clarify whether CSRFGuard removal is incomplete or intentionally scoped differently.

Line 218 removes the CSRFGuard filter-mapping from web.xml configuration. However, the pom.xml still contains active replace operations (lines 323-330) that modify Owasp.CsrfGuard.Carbon.properties, and modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf still registers CsrfGuardServletContextListener with Owasp.CsrfGuard.Config. If the PR objective is to remove CSRFGuard entirely, these configurations should also be removed or their continued necessity should be explained.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@modules/distribution/pom.xml` at line 218, The PR removed the CSRFGuard
filter-mapping (the web.xml filter-mapping change reflected by the removed
security-header-filter-mapping-is-token property), but left CSRFGuard artifacts
in the build and app configs; either fully remove the remaining CSRFGuard pieces
(delete the pom.xml replace operations that touch
Owasp.CsrfGuard.Carbon.properties and remove the CsrfGuardServletContextListener
registration and Owasp.CsrfGuard.Config entries in
modules/features/org.wso2.identity.jaggery.apps.feature/src/main/resources/portal/jaggery.conf)
or add a concise code comment/PR note explaining why CSRFGuard filter-mapping is
removed but those pom.xml replace rules and jaggery.conf listener registrations
must remain, so reviewers can understand the intentional scope.