> But the token URL is publicly available (/libs/granite/csrf/token.json)Yes. This is correct and by design.> and an attacker can get a new token from it and submit forged requests.But, as mentioned above, this token will be bound to the user requesting it and therefore only be valid for requests pe...

Hello kunal23The CSRF token is bound to the user who requested it and will only be valid to perform POSTs for that user. An attacker cannot get a token for another user and therefore cannot make forged requests on that user's behalf. Best greetingsLars

Hello chetanvajre2014Yes, the SAML authentication handler implementation is no longer exported (since 5.6.1 IIRC). As a proprietary implementation it has never been intended to be extended on project level and had only been exported by 'accident'. However, most of the reusable functionality is avail...

Hello Sunjeet Q1) That's simply because the groups in your directory server seem to be stored with this special object class (which enforces further restrictions). Q2) Hmm. The log actually looks quite ok to me - and since the group shows up in the groups tab, it must have been created and the user ...

Hello SunjeetQ1) Yes this should be possible. There might be a problem with the configuration. I suggest you set the log-level of the LDAP module to DEBUG, then you get the complete filter which you could paste into a GUI client and see if you really get the groups you expect out of the LDAP server....