You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Wilfred Duizers <Wi...@indicia.nl> on 2012/11/02 15:22:32 UTC
CSRF on multiple tomcat instances
Hello,
I am running 2 Tomcat instances on 1 server. So far nothing special :-)
Both:
Apache Tomcat/7.0.25
JVM 1.6.0_20-b02
When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance.....
Kind regards,
Wilfred
Re: CSRF on multiple tomcat instances
Posted by Pid <pi...@pidster.com>.
On 06/11/2012 03:59, Christopher Schultz wrote:
> Wilfred,
>
> On 11/5/12 4:08 AM, Wilfred Duizers wrote:
>> When a user clicks a link in the webapplication running on Tomcat
>> instance 1 (portal) an application running on Tomcat instance 2 is
>> opened. Is it possible to send the nonce with the link? Because
>> it's running another instance.....
>
>> Do you see a solution anyway....both tomcat instances use the same
>> domain https://www.example.com
>
>> They use isapi
>
> I'm not sure ISAPI is relevant, here, but good to know.
>
> So, first of all -- have you tried it? The CSRFPreventionFilter stores
> its nonce cache (a Serializable object) in the session. If you are
> using clustered sessions, then it should Just Work.
If they are not the same apps it won't.
The alternative is to write a similar component that works as a Valve,
which has access to the Session (not the same as the HttpSession) and
see if you can use the same mechanism as the SSOValve uses, storing the
nonce in a 'note'.
I *think* that might work, but I'm guessing a bit there...
p
> If you have other (as yet undisclosed) requirements, I'm guessing that
> Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs,
> though it should be trivial to subclass it and customize the parts
> that you need to work differently. If your improvements are decent, I
> would encourage you to contribute back to the community.
>
> If I had to do this, I would look at modifying the existing
> CSRFPreventionFilter such that its storage mechanism was pluggable, so
> you could specify a class that did something simple like:
>
> public LruCache<String> getNonceCache(HttpSession)
> public void setNonceCache(HttpSession,LruCache)
>
> If you wanted to make it a bit more high-throughput, you could make
> the methods more fine-grained so you didn't have to push-and-pull the
> whole cache each time. The code is more complicated, but potentially
> more flexible.
>
> Once that's done, just implement a global nonce cache using something
> like webcache or your favorite key-value store (where the key is
> something like session id + ".csrfCache"). Just remember to expire the
> nonce caches when the user's session dies or you will end up with a
> big, fat, messy database (and might even exhaust system resources if
> you are using an in-memory solution like webcache).
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: CSRF on multiple tomcat instances
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wilfred,
On 11/5/12 4:08 AM, Wilfred Duizers wrote:
> When a user clicks a link in the webapplication running on Tomcat
> instance 1 (portal) an application running on Tomcat instance 2 is
> opened. Is it possible to send the nonce with the link? Because
> it's running another instance.....
>
> Do you see a solution anyway....both tomcat instances use the same
> domain https://www.example.com
>
> They use isapi
I'm not sure ISAPI is relevant, here, but good to know.
So, first of all -- have you tried it? The CSRFPreventionFilter stores
its nonce cache (a Serializable object) in the session. If you are
using clustered sessions, then it should Just Work.
If you have other (as yet undisclosed) requirements, I'm guessing that
Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs,
though it should be trivial to subclass it and customize the parts
that you need to work differently. If your improvements are decent, I
would encourage you to contribute back to the community.
If I had to do this, I would look at modifying the existing
CSRFPreventionFilter such that its storage mechanism was pluggable, so
you could specify a class that did something simple like:
public LruCache<String> getNonceCache(HttpSession)
public void setNonceCache(HttpSession,LruCache)
If you wanted to make it a bit more high-throughput, you could make
the methods more fine-grained so you didn't have to push-and-pull the
whole cache each time. The code is more complicated, but potentially
more flexible.
Once that's done, just implement a global nonce cache using something
like webcache or your favorite key-value store (where the key is
something like session id + ".csrfCache"). Just remember to expire the
nonce caches when the user's session dies or you will end up with a
big, fat, messy database (and might even exhaust system resources if
you are using an in-memory solution like webcache).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCYiw8ACgkQ9CaO5/Lv0PC4gwCdEIUNBxv5nLz9arlMA4v1JQlu
LCMAn1mV0a87+D3D3e1TFsyk4bAO5zKP
=FLeY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: CSRF on multiple tomcat instances
Posted by Wilfred Duizers <Wi...@indicia.nl>.
yes it would :P
Do you see a solution anyway....both tomcat instances use the same domain https://www.example.com
They use isapi
________________________________________
Van: Pid * [pid@pidster.com]
Verzonden: maandag 5 november 2012 9:30
Aan: Tomcat Users List
Onderwerp: Re: CSRF on multiple tomcat instances
On 2 Nov 2012, at 14:23, Wilfred Duizers <Wi...@indicia.nl> wrote:
> Hello,
>
> I am running 2 Tomcat instances on 1 server. So far nothing special :-)
> Both:
> Apache Tomcat/7.0.25
> JVM 1.6.0_20-b02
>
> When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance...
Would defeat the point if you sent all of the info in the same request, no?
p
>
> Kind regards,
> Wilfred
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CSRF on multiple tomcat instances
Posted by Pid * <pi...@pidster.com>.
On 2 Nov 2012, at 14:23, Wilfred Duizers <Wi...@indicia.nl> wrote:
> Hello,
>
> I am running 2 Tomcat instances on 1 server. So far nothing special :-)
> Both:
> Apache Tomcat/7.0.25
> JVM 1.6.0_20-b02
>
> When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance...
Would defeat the point if you sent all of the info in the same request, no?
p
>
> Kind regards,
> Wilfred
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org