You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mathew Samuel <Ma...@entrust.com> on 2011/04/13 21:21:55 UTC
Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Hi,
There's an JSP example line given, with respect to using CSRF (Cross-site Request Forgery), that showed how one could access the CSRF nonce and include it with a URL:
< c:url var="url" value="/show" > < c:param name="id" value="0" / > < c:param name="org.apache.catalina.filters.CSRF_NONCE" value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url >< a href="${show}">Show< /a >
How may I access this session.org.apache.catalina.filters.CSRF_NONCE value from within a pure Java context? Would it be part of some sort of Java Session object from which one of the attributes would be org.apache.catalina.filters.CSRF_NONCE?
Might it depend on the configuration I have set up? In web.xml I do have the org.apache.catalina.filters.CsrfPreventionFilter defined and I have specified a filter-mapping.
I've tried a few things and so far have been unsuccessful at retrieving this value. Any help would be appreciated.
Cheers,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Well that's embarrassing. Thanks Chuck!
In my own defense I had read his response and didn't really understand it so it swiftly left my mind. Then suddenly I could access that Attribute and now in hindsight his response makes sense to me.
Feels like half the time I'm defending myself on this forum. But truly if it wasn't for all your contributions I would not have even progressed this far. Thank you.
Cheers,
Matt
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, April 15, 2011 3:47 PM
To: Tomcat Users List
Subject: RE: Found org.apache.catalina.filters.CSRF_NONCE
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce, because it calls
> > HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce,
> > because it calls HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 4:11 PM, Mathew Samuel wrote:
> It does not appear like I have access to HttpServletResponse. Damn.
> So if I did have access to that then I could just call
> response.encodeURL and everything would seriously just auto-magically
> work?
Yes.
> Any other way, or Object, I can use in its place?
>
> I like your idea Chris of generating a new nonce and adding it to the
> cache. Trouble is that generateNonce() procedure from
> org.apache.catalina.filters.CsrfPreventionFilter is protected so I
> can't use that. Well, unless I subclass it of course. Is that what
> you were thinking?
Make up your own. The generateNonce method just generates a random
string... you ought to be able to do that in your code, somehow.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2xhvsACgkQ9CaO5/Lv0PDmDgCgl3/dsVEOKsj9ZZKONgSsG7p6
DF8An2SMEtH/SY4S2BZmOsYJGuGqn72h
=MljX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
It does not appear like I have access to HttpServletResponse. Damn. So if I did have access to that then I could just call response.encodeURL and everything would seriously just auto-magically work?
Any other way, or Object, I can use in its place?
I like your idea Chris of generating a new nonce and adding it to the cache. Trouble is that generateNonce() procedure from org.apache.catalina.filters.CsrfPreventionFilter is protected so I can't use that. Well, unless I subclass it of course. Is that what you were thinking?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 15, 2011 3:49 PM
To: Tomcat Users List
Subject: Re: Found org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is a psuedo-current nonce for the request -- the one stored in the response wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but what
> I was thinking about doing was to grab what I had presumed to be a
> value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is
a psuedo-current nonce for the request -- the one stored in the response
wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but
> what I was thinking about doing was to grab what I had presumed to be
> a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know
a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add
it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
Thanks for all the help. Looks like I was able to find org.apache.catalina.filters.CSRF_NONCE. I was so happy I could have cried.
It was part of an HttpSession object that had an attribute of org.apache.catalina.filters.CSRF_NONCE. Not sure why I couldn't find it before but perhaps I was either checking the wrong HttpSession Object before or checking it at the wrong time or something.
So now onto my next issue, I tried to so the following:
String nonce = (String)session.getAttribute("org.apache.catalina.filters.CSRF_NONCE");
However the exception I received back was the following:
java.lang.ClassCastException: org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be cast to java.lang.String
Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else. In the API description for org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is only two methods: add and contains. Neither of which would help me access the value of this CSRF_NONCE.
And maybe I'm going about this all wrong, and how this works, but what I was thinking about doing was to grab what I had presumed to be a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and ensure that value gets propagated so that when the XSLT does it's transformation it will be there included with the link (we don't use JSP).
I am going about this correctly right? If so is there a value from org.apache.catalina.filters.CSRF_NONCE that I should be able to extract? Like the actual nonce value?
Cheers,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/4/13 Mathew Samuel <Ma...@entrust.com>:
> Hi,
>
> There's an JSP example line given, with respect to using CSRF (Cross-site Request Forgery), that showed how one could access the CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > < c:param name="org.apache.catalina.filters.CSRF_NONCE" value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url >< a href="${show}">Show< /a >
1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
2) The value of the above is some object (a cache) not a String.
It cannot be used as a <c:param> value.
3) c:url already takes care of the nonce,
because it calls HttpServletResponse.encodeURL(..)
(...)
>
> I've tried a few things and so far have been unsuccessful at retrieving this value. Any help would be appreciated.
If I login to the Tomcat Manager web application, a list of web
applications is displayed.
There click on the number in the "Sessions" column (for the manager
webapp). There will be a list of sessions.
Then click on the session id. There will be the "Session detail" page
for a session.
The "org.apache.catalina.filters.CSRF_NONCE" attribute does exist and
is shown on that page.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
I can see stuff such as:
ServletContext -> org.apache.catalina.jsp_classpath
HttpServletRequest -> org.apache.catalina.ASYNC_SUPPORTED
But still no org.apache.catalina.filters.CSRF_NONCE.
The HttpSession object did not have it, actually it did not seem to have any attributes.
Is there Tomcat logging I can set to see if this org.apache.catalina.filters.CSRF_NONCE is even being set? I set everything I could in tomcat/conf/logging.properties to log ALL but I still see no evidence that this org.apache.catalina.filters.CSRF_NONCE is being set.
Or is there a specific Facility I should be logging for to see that being set? Also I assume the CSRF filter must be on in web.xml which I have done (hopefully correctly).
I would just like to see this org.apache.catalina.filters.CSRF_NONCE being set some where in a log file or any where to give me a bit of optimism.
Cheers,
Matt
-----Original Message-----
From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
Sent: Thursday, April 14, 2011 9:58 AM
To: 'Tomcat Users List'
Subject: RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Hi Chris,
So I do in fact have a reference to the HttpSession related to the currently-running request. However I do a "getAttributeNames()" to it but the Enumeration I get back is empty (i.e. non-null but empty so that a "hasMoreElements()" call to the HttpSession object says "false").
The "org.apache.catalina.filters.CSRF_NONCE" key should be an attribute correct?
Although it is quite likely that I'm doing something wrong as I wouldn't figure that the Enumeration returned by "getAttributeNames()" would be empty although a "getId()" call to the HttpSession object is at least returning something so I know there is an actual HttpSession object present anyways.
So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as on of the attributes I would get back if a "getAttributeNames()" call had been made to the HttpSession object?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 13, 2011 4:24 PM
To: Tomcat Users List
Subject: Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running request. So, if you don't have a reference to the HttpSession object, you are probably out of luck.
Once you have the session, the value bound to the key "org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/14/2011 9:58 AM, Mathew Samuel wrote:
> So I do in fact have a reference to the HttpSession related to the
> currently-running request. However I do a "getAttributeNames()" to it
> but the Enumeration I get back is empty (i.e. non-null but empty so
> that a "hasMoreElements()" call to the HttpSession object says
> "false").
>
> The "org.apache.catalina.filters.CSRF_NONCE" key should be an
> attribute correct?
Tomcat "hides" certain session attributes from the enumeration returned
by getAttributeNames. It's possible that this is one of them. Can you
try to query it directly?
Check out the code for the filter to see how it's used:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_12/java/org/apache/catalina/filters/CsrfPreventionFilter.java
> Although it is quite likely that I'm doing something wrong as I
> wouldn't figure that the Enumeration returned by
> "getAttributeNames()" would be empty although a "getId()" call to the
> HttpSession object is at least returning something so I know there is
> an actual HttpSession object present anyways.
That is definitely good.
> So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as
> on of the attributes I would get back if a "getAttributeNames()" call
> had been made to the HttpSession object?
Maybe :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2omVQACgkQ9CaO5/Lv0PBfeACgvIuY+KtmyJoBAwfh6knsmIyM
CZMAn2ZD5OSJp+fWTjEyonAbK3rclxBH
=bf/N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
So I do in fact have a reference to the HttpSession related to the currently-running request. However I do a "getAttributeNames()" to it but the Enumeration I get back is empty (i.e. non-null but empty so that a "hasMoreElements()" call to the HttpSession object says "false").
The "org.apache.catalina.filters.CSRF_NONCE" key should be an attribute correct?
Although it is quite likely that I'm doing something wrong as I wouldn't figure that the Enumeration returned by "getAttributeNames()" would be empty although a "getId()" call to the HttpSession object is at least returning something so I know there is an actual HttpSession object present anyways.
So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as on of the attributes I would get back if a "getAttributeNames()" call had been made to the HttpSession object?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 13, 2011 4:24 PM
To: Tomcat Users List
Subject: Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running request. So, if you don't have a reference to the HttpSession object, you are probably out of luck.
Once you have the session, the value bound to the key "org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running
request. So, if you don't have a reference to the HttpSession object,
you are probably out of luck.
Once you have the session, the value bound to the key
"org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is
supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org