You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mathew Samuel <Ma...@entrust.com> on 2011/04/07 18:08:17 UTC
Help with CsrfPreventionFilter
Hi,
I'm trying to make use of the CsrfPreventionFilter using 7.0.12 so this is what I have added to the relevant web.xml
<!-- Csrf prevention filter -->
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/do/Start</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
Notice that as an entry point I have specified '/do/Start' which is fine up to a point. Meaning that the Start page does load. Trouble is that what loads is basically what looks like a text-based page. No images, no functionality behind buttons. Just wondering if some one has had success using this particular filter and could give me pointers or perhaps an example on how I can properly use it.
Cheers,
Matt
Re: Help with CsrfPreventionFilter
Posted by André Warnier <aw...@ice-sa.com>.
Mathew Samuel wrote:
> Well so much for my last post with images. Essentially it was showing a screenshot when the filter was on and there were no images, no theme, nothing. And then the following one with it off which had everything in place. But HTML source is identical.
>
Thanks for posting the rectification. I had already reached for my reading glasses..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Well so much for my last post with images. Essentially it was showing a screenshot when the filter was on and there were no images, no theme, nothing. And then the following one with it off which had everything in place. But HTML source is identical.
________________________________
From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
Sent: Friday, April 08, 2011 12:20 PM
To: 'Tomcat Users List'
Subject: RE: Help with CsrfPreventionFilter
Hi Chris,
That was a good test suggestion, to compare the page source between when CSRF is on and off. What surprised me is that the page source between the two is identical.
But still with the CSRF filter on I see this:
[cid:44f93360-b5c4-477a-b537-58c47feec8a4]
And with that filter off I see this:
[cid:057f2ba0-70a3-4195-a09d-fa079fa37436]
If I was fronting with Apache httpd would there be something specifically that I would have to do? I believe there might be some setups where this may be the case. Although my current setup doesn't have it.
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 08, 2011 10:42 AM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 9:26 AM, Mathew Samuel wrote:
> Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Good.
> Also tried with "<url-pattern>/*</url-pattern>" but it produced the
> same result in that what loads is basically a text-based page with no
> images, no functionality behind buttons.
:(
Can you post a snippet of page source where everything is broken? Also post the same snippet where the CsrfPreventionFilter is disabled.
Are you fronting Tomcat with Apache httpd or some other web server?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fHtAACgkQ9CaO5/Lv0PBISQCgj2vuYdDk5mGjcd2H6UP7Noxl
j/kAn1m+9vWwNTosyjug2k+UnRu1o6kh
=YYZH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Well that's embarrassing. Thanks Chuck!
In my own defense I had read his response and didn't really understand it so it swiftly left my mind. Then suddenly I could access that Attribute and now in hindsight his response makes sense to me.
Feels like half the time I'm defending myself on this forum. But truly if it wasn't for all your contributions I would not have even progressed this far. Thank you.
Cheers,
Matt
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, April 15, 2011 3:47 PM
To: Tomcat Users List
Subject: RE: Found org.apache.catalina.filters.CSRF_NONCE
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce, because it calls
> > HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce,
> > because it calls HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 4:11 PM, Mathew Samuel wrote:
> It does not appear like I have access to HttpServletResponse. Damn.
> So if I did have access to that then I could just call
> response.encodeURL and everything would seriously just auto-magically
> work?
Yes.
> Any other way, or Object, I can use in its place?
>
> I like your idea Chris of generating a new nonce and adding it to the
> cache. Trouble is that generateNonce() procedure from
> org.apache.catalina.filters.CsrfPreventionFilter is protected so I
> can't use that. Well, unless I subclass it of course. Is that what
> you were thinking?
Make up your own. The generateNonce method just generates a random
string... you ought to be able to do that in your code, somehow.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2xhvsACgkQ9CaO5/Lv0PDmDgCgl3/dsVEOKsj9ZZKONgSsG7p6
DF8An2SMEtH/SY4S2BZmOsYJGuGqn72h
=MljX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
It does not appear like I have access to HttpServletResponse. Damn. So if I did have access to that then I could just call response.encodeURL and everything would seriously just auto-magically work?
Any other way, or Object, I can use in its place?
I like your idea Chris of generating a new nonce and adding it to the cache. Trouble is that generateNonce() procedure from org.apache.catalina.filters.CsrfPreventionFilter is protected so I can't use that. Well, unless I subclass it of course. Is that what you were thinking?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 15, 2011 3:49 PM
To: Tomcat Users List
Subject: Re: Found org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is a psuedo-current nonce for the request -- the one stored in the response wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but what
> I was thinking about doing was to grab what I had presumed to be a
> value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is
a psuedo-current nonce for the request -- the one stored in the response
wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but
> what I was thinking about doing was to grab what I had presumed to be
> a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know
a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add
it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
Thanks for all the help. Looks like I was able to find org.apache.catalina.filters.CSRF_NONCE. I was so happy I could have cried.
It was part of an HttpSession object that had an attribute of org.apache.catalina.filters.CSRF_NONCE. Not sure why I couldn't find it before but perhaps I was either checking the wrong HttpSession Object before or checking it at the wrong time or something.
So now onto my next issue, I tried to so the following:
String nonce = (String)session.getAttribute("org.apache.catalina.filters.CSRF_NONCE");
However the exception I received back was the following:
java.lang.ClassCastException: org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be cast to java.lang.String
Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else. In the API description for org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is only two methods: add and contains. Neither of which would help me access the value of this CSRF_NONCE.
And maybe I'm going about this all wrong, and how this works, but what I was thinking about doing was to grab what I had presumed to be a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and ensure that value gets propagated so that when the XSLT does it's transformation it will be there included with the link (we don't use JSP).
I am going about this correctly right? If so is there a value from org.apache.catalina.filters.CSRF_NONCE that I should be able to extract? Like the actual nonce value?
Cheers,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/4/13 Mathew Samuel <Ma...@entrust.com>:
> Hi,
>
> There's an JSP example line given, with respect to using CSRF (Cross-site Request Forgery), that showed how one could access the CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > < c:param name="org.apache.catalina.filters.CSRF_NONCE" value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url >< a href="${show}">Show< /a >
1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
2) The value of the above is some object (a cache) not a String.
It cannot be used as a <c:param> value.
3) c:url already takes care of the nonce,
because it calls HttpServletResponse.encodeURL(..)
(...)
>
> I've tried a few things and so far have been unsuccessful at retrieving this value. Any help would be appreciated.
If I login to the Tomcat Manager web application, a list of web
applications is displayed.
There click on the number in the "Sessions" column (for the manager
webapp). There will be a list of sessions.
Then click on the session id. There will be the "Session detail" page
for a session.
The "org.apache.catalina.filters.CSRF_NONCE" attribute does exist and
is shown on that page.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
I can see stuff such as:
ServletContext -> org.apache.catalina.jsp_classpath
HttpServletRequest -> org.apache.catalina.ASYNC_SUPPORTED
But still no org.apache.catalina.filters.CSRF_NONCE.
The HttpSession object did not have it, actually it did not seem to have any attributes.
Is there Tomcat logging I can set to see if this org.apache.catalina.filters.CSRF_NONCE is even being set? I set everything I could in tomcat/conf/logging.properties to log ALL but I still see no evidence that this org.apache.catalina.filters.CSRF_NONCE is being set.
Or is there a specific Facility I should be logging for to see that being set? Also I assume the CSRF filter must be on in web.xml which I have done (hopefully correctly).
I would just like to see this org.apache.catalina.filters.CSRF_NONCE being set some where in a log file or any where to give me a bit of optimism.
Cheers,
Matt
-----Original Message-----
From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
Sent: Thursday, April 14, 2011 9:58 AM
To: 'Tomcat Users List'
Subject: RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Hi Chris,
So I do in fact have a reference to the HttpSession related to the currently-running request. However I do a "getAttributeNames()" to it but the Enumeration I get back is empty (i.e. non-null but empty so that a "hasMoreElements()" call to the HttpSession object says "false").
The "org.apache.catalina.filters.CSRF_NONCE" key should be an attribute correct?
Although it is quite likely that I'm doing something wrong as I wouldn't figure that the Enumeration returned by "getAttributeNames()" would be empty although a "getId()" call to the HttpSession object is at least returning something so I know there is an actual HttpSession object present anyways.
So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as on of the attributes I would get back if a "getAttributeNames()" call had been made to the HttpSession object?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 13, 2011 4:24 PM
To: Tomcat Users List
Subject: Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running request. So, if you don't have a reference to the HttpSession object, you are probably out of luck.
Once you have the session, the value bound to the key "org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/14/2011 9:58 AM, Mathew Samuel wrote:
> So I do in fact have a reference to the HttpSession related to the
> currently-running request. However I do a "getAttributeNames()" to it
> but the Enumeration I get back is empty (i.e. non-null but empty so
> that a "hasMoreElements()" call to the HttpSession object says
> "false").
>
> The "org.apache.catalina.filters.CSRF_NONCE" key should be an
> attribute correct?
Tomcat "hides" certain session attributes from the enumeration returned
by getAttributeNames. It's possible that this is one of them. Can you
try to query it directly?
Check out the code for the filter to see how it's used:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_12/java/org/apache/catalina/filters/CsrfPreventionFilter.java
> Although it is quite likely that I'm doing something wrong as I
> wouldn't figure that the Enumeration returned by
> "getAttributeNames()" would be empty although a "getId()" call to the
> HttpSession object is at least returning something so I know there is
> an actual HttpSession object present anyways.
That is definitely good.
> So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as
> on of the attributes I would get back if a "getAttributeNames()" call
> had been made to the HttpSession object?
Maybe :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2omVQACgkQ9CaO5/Lv0PBfeACgvIuY+KtmyJoBAwfh6knsmIyM
CZMAn2ZD5OSJp+fWTjEyonAbK3rclxBH
=bf/N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
So I do in fact have a reference to the HttpSession related to the currently-running request. However I do a "getAttributeNames()" to it but the Enumeration I get back is empty (i.e. non-null but empty so that a "hasMoreElements()" call to the HttpSession object says "false").
The "org.apache.catalina.filters.CSRF_NONCE" key should be an attribute correct?
Although it is quite likely that I'm doing something wrong as I wouldn't figure that the Enumeration returned by "getAttributeNames()" would be empty although a "getId()" call to the HttpSession object is at least returning something so I know there is an actual HttpSession object present anyways.
So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as on of the attributes I would get back if a "getAttributeNames()" call had been made to the HttpSession object?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 13, 2011 4:24 PM
To: Tomcat Users List
Subject: Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running request. So, if you don't have a reference to the HttpSession object, you are probably out of luck.
Once you have the session, the value bound to the key "org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running
request. So, if you don't have a reference to the HttpSession object,
you are probably out of luck.
Once you have the session, the value bound to the key
"org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is
supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Trying to find session.org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
There's an JSP example line given, with respect to using CSRF (Cross-site Request Forgery), that showed how one could access the CSRF nonce and include it with a URL:
< c:url var="url" value="/show" > < c:param name="id" value="0" / > < c:param name="org.apache.catalina.filters.CSRF_NONCE" value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url >< a href="${show}">Show< /a >
How may I access this session.org.apache.catalina.filters.CSRF_NONCE value from within a pure Java context? Would it be part of some sort of Java Session object from which one of the attributes would be org.apache.catalina.filters.CSRF_NONCE?
Might it depend on the configuration I have set up? In web.xml I do have the org.apache.catalina.filters.CsrfPreventionFilter defined and I have specified a filter-mapping.
I've tried a few things and so far have been unsuccessful at retrieving this value. Any help would be appreciated.
Cheers,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
You are correct, cookies need to be enabled for the webapp to work.
And yeah the XSLT processor is web-aware so that there is access to the servlet objects. I guess the link that I am missing then, with something that I'm doing or not doing, is that I'm not seeing access to "org.apache.catalina.filters.CSRF_NONCE". I'm guessing that I should see this as an attribute of the session.
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 13, 2011 4:15 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/12/2011 3:51 PM, Mathew Samuel wrote:
> We don't make use of JSTL so I can't access it that way.
>
> We do use XSL that is run through a transform. And of course relevant
> values are retrieved from the back end too.
Depending on how to generate your URLs, you might already be using HttpServletResponse.encodeURL without realizing it.
If your clients don't have cookies enabled, does your webapp still work?
If so, you are likely to be using encodeURL in this way.
> So, in the back-end, would I have to essentially subclass
> org.apache.catalina.filters.CsrfPreventionFilter (since that would be
> the only way I could invoke the protected method generateNonce) in
> order to create the nonce?
Or you could just use encodeURL instead of duplicating it's code.
> Or am I over-complicating matters as there exists a simpler way
> keeping in mind we don't use JSTL?
JSTL is a red herring, so put it out of your mind. It's just an example of one technology that uses encodeURL properly -- as should any servlet-related code.
Is your XSLT processor web-aware in any way? For instance, we use Apache Cocoon and have complete access (when necessary) to the servlet objects.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBDIACgkQ9CaO5/Lv0PBAnQCfWz/UtDqzldI0/MePJ+QLpEiQ
vq4An1DAG0TcTfqAbPbEs/h9xgGDuA1l
=L1UU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/12/2011 3:51 PM, Mathew Samuel wrote:
> We don't make use of JSTL so I can't access it that way.
>
> We do use XSL that is run through a transform. And of course relevant
> values are retrieved from the back end too.
Depending on how to generate your URLs, you might already be using
HttpServletResponse.encodeURL without realizing it.
If your clients don't have cookies enabled, does your webapp still work?
If so, you are likely to be using encodeURL in this way.
> So, in the back-end, would I have to essentially subclass
> org.apache.catalina.filters.CsrfPreventionFilter (since that would be
> the only way I could invoke the protected method generateNonce) in
> order to create the nonce?
Or you could just use encodeURL instead of duplicating it's code.
> Or am I over-complicating matters as there exists a simpler way
> keeping in mind we don't use JSTL?
JSTL is a red herring, so put it out of your mind. It's just an example
of one technology that uses encodeURL properly -- as should any
servlet-related code.
Is your XSLT processor web-aware in any way? For instance, we use Apache
Cocoon and have complete access (when necessary) to the servlet objects.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBDIACgkQ9CaO5/Lv0PBAnQCfWz/UtDqzldI0/MePJ+QLpEiQ
vq4An1DAG0TcTfqAbPbEs/h9xgGDuA1l
=L1UU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi,
We don't make use of JSTL so I can't access it that way.
We do use XSL that is run through a transform. And of course relevant values are retrieved from the back end too.
So, in the back-end, would I have to essentially subclass org.apache.catalina.filters.CsrfPreventionFilter (since that would be the only way I could invoke the protected method generateNonce) in order to create the nonce?
Or am I over-complicating matters as there exists a simpler way keeping in mind we don't use JSTL?
I apologize, I am new at this so I am try to learn this all as I go along.
Cheers,
Matt
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Sunday, April 10, 2011 6:22 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
2011/4/11 Mathew Samuel <Ma...@entrust.com>:
> Hi Konstantin,
>
> I will try to avoid mapping the filter to those paths as you have suggested as yes that is another approach I can try.
>
> You had mentioned that the filter works by providing its own
> implementation of encodeURL(). Is this a function I have to explicitly call or is it something that is already called as a result of using the CsrfPreventionFilter?
Something that you have to call explicitly. Though there are a number other means to call it, e.g. c:url tag of JSTL calls it.
The filter wraps original request/response and provides implementation for this function.
See the Servlet Spec for what encodeURL() is.
BTW, the source code of the filter is available. You can read or debug it, if there are more questions.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/4/11 Mathew Samuel <Ma...@entrust.com>:
> Hi Konstantin,
>
> I will try to avoid mapping the filter to those paths as you have suggested as yes that is another approach I can try.
>
> You had mentioned that the filter works by providing its own implementation of encodeURL(). Is this a function I have to explicitly call
> or is it something that is already called as a result of using the CsrfPreventionFilter?
Something that you have to call explicitly. Though there are a number
other means to call it, e.g. c:url tag of JSTL calls it.
The filter wraps original request/response and provides implementation
for this function.
See the Servlet Spec for what encodeURL() is.
BTW, the source code of the filter is available. You can read or debug
it, if there are more questions.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Konstantin,
I will try to avoid mapping the filter to those paths as you have suggested as yes that is another approach I can try.
You had mentioned that the filter works by providing its own implementation of encodeURL(). Is this a function I have to explicitly call or is it something that is already called as a result of using the CsrfPreventionFilter?
Cheers,
Matt
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Friday, April 08, 2011 4:53 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
2011/4/8 Mathew Samuel <Ma...@entrust.com>:
> Hi Chris,
>
> Thanks for your patience. So I've got CSRF to "work" at least to a certain degree that it actually displays the page in it's entirety. But I literally had to explicitly state each css, js, gif that was going to be referenced as part of that page. So here is what that portion of the web.xml would look like:
The filter works by providing its own implementation of encodeURL() calls that add nonce to the URL.
You wouldn't want to call encodeURL() for images css etc. because it will result in them having a lot of different URLs (because of session
ID) and thus unnecessary extra copies of those files in caches.
> Is this really the way it has to be for "entryPoints" points to work? Could there be a way of wildcarding?
I thought it is there, but actually as of now, there is no support for wildcards. It might be worth as an enhancement. Some other filters/valves in TC7 do accept a single regexp and perform matching against it.
Maybe you can avoid mapping the filter to those paths?
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/4/8 Mathew Samuel <Ma...@entrust.com>:
> Hi Chris,
>
> Thanks for your patience. So I've got CSRF to "work" at least to a certain degree that it actually displays the page in it's entirety. But I literally had to explicitly state each css, js, gif that was going to be referenced as part of that page. So here is what that portion of the web.xml would look like:
The filter works by providing its own implementation of encodeURL()
calls that add nonce to the URL.
You wouldn't want to call encodeURL() for images css etc. because it
will result in them having a lot of different URLs (because of session
ID) and thus unnecessary extra copies of those files in caches.
> Is this really the way it has to be for "entryPoints" points to work? Could there be a way of wildcarding?
I thought it is there, but actually as of now, there is no support for
wildcards. It might be worth as an enhancement. Some other
filters/valves in TC7 do accept a single regexp and perform matching
against it.
Maybe you can avoid mapping the filter to those paths?
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
Thanks for your patience. So I've got CSRF to "work" at least to a certain degree that it actually displays the page in it's entirety. But I literally had to explicitly state each css, js, gif that was going to be referenced as part of that page. So here is what that portion of the web.xml would look like:
<!-- Csrf prevention filter -->
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/,/do/Start,/web/en_US/images/mail.gif,/web/en_US/images/logo.gif,/web/en_US/css/style.css,/web/en_US/css/general.css,/web/en_US/css/passwordrules.css,/web/en_US/css/commonpage.css,/web/en_US/css/datagrid.css,/web/en_US/css/home.css,/web/en_US/css/wmc.css,/web/en_US/javascript/common.js,/web/en_US/javascript/login.js,/web/en_US/javascript/branding.js,/web/en_US/javascript/wmc-validatormsg.js,/web/en_US/javascript/validatormsg.js,/web/en_US/javascript/webmail.js,/web/en_US/javascript/tw-sack.js,/web/en_US/javascript/folders.js,/web/en_US/javascript/datagrid.js,/web/en_US/javascript/commonpage.js,/web/en_US/javascript/behaviour.js,/web/en_US/javascript/validator.js</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Is this really the way it has to be for "entryPoints" points to work? Could there be a way of wildcarding? I would also have to then do this for every supported language if there is no wildcarding. Worse still we have a mechanism for dynamically importing languages which means we would still have to add more to this dynamically as well.
Or am I doing something really wrong meaning that I'm taking something that is likely simple to use and over-complicating it?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 08, 2011 3:23 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 12:19 PM, Mathew Samuel wrote:
> That was a good test suggestion, to compare the page source between
> when CSRF is on and off. What surprised me is that the page source
> between the two is identical.
>
> But still with the CSRF filter on I see this:
>
> And with that filter off I see this:
(By now, you've seen that the list strips attachments. Feel free to use somehting like psatebin or your own website to host images and just post links).
> Essentially it was showing a screenshot when the filter was on and
> there were no images, no theme, nothing. And then the following one
> with it off which had everything in place. But HTML source is
> identical.
Why not just copy/paste the actual page source into a message to the list? That would do just fine. You already said that the page was broken... there's no need for a screenshot to "show" that.
Are you saying that the CsrfPreventionFilter isn't modifying your static content URLs /at all/? If that's the case, then you aren't running those URLs through HttpServletResponse.encodeURL before they go into the page.
I'm very surprised that the HTML source is identical with the filter on versus off: the purpose of the filter is to /modify the page source/.
> If I was fronting with Apache httpd would there be something
> specifically that I would have to do?
Possibly. I haven't looked at the filter's source code closely enough to determine this, but I know that ";jsessionid" often trips-up httpd when loading static data so this could be a similar situation.
> I believe there might be some
> setups where this may be the case. Although my current setup doesn't
> have it.
Well, then that's not the problem, then.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fYKIACgkQ9CaO5/Lv0PDnKACeOXqDZnukTVyuyjj4JTB5CDXM
L50AoLpvEimIgvFKAnYaXnvivcTNdwIz
=vWHP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 12:19 PM, Mathew Samuel wrote:
> That was a good test suggestion, to compare the page source between when
> CSRF is on and off. What surprised me is that the page source between
> the two is identical.
>
> But still with the CSRF filter on I see this:
>
> And with that filter off I see this:
(By now, you've seen that the list strips attachments. Feel free to use
somehting like psatebin or your own website to host images and just post
links).
> Essentially it was showing a screenshot when the filter was on and
> there were no images, no theme, nothing. And then the following one
> with it off which had everything in place. But HTML source is
> identical.
Why not just copy/paste the actual page source into a message to the
list? That would do just fine. You already said that the page was
broken... there's no need for a screenshot to "show" that.
Are you saying that the CsrfPreventionFilter isn't modifying your static
content URLs /at all/? If that's the case, then you aren't running those
URLs through HttpServletResponse.encodeURL before they go into the page.
I'm very surprised that the HTML source is identical with the filter on
versus off: the purpose of the filter is to /modify the page source/.
> If I was fronting with Apache httpd would there be something
> specifically that I would have to do?
Possibly. I haven't looked at the filter's source code closely enough to
determine this, but I know that ";jsessionid" often trips-up httpd when
loading static data so this could be a similar situation.
> I believe there might be some
> setups where this may be the case. Although my current setup doesn't
> have it.
Well, then that's not the problem, then.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fYKIACgkQ9CaO5/Lv0PDnKACeOXqDZnukTVyuyjj4JTB5CDXM
L50AoLpvEimIgvFKAnYaXnvivcTNdwIz
=vWHP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
That was a good test suggestion, to compare the page source between when CSRF is on and off. What surprised me is that the page source between the two is identical.
But still with the CSRF filter on I see this:
And with that filter off I see this:
If I was fronting with Apache httpd would there be something specifically that I would have to do? I believe there might be some setups where this may be the case. Although my current setup doesn't have it.
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 08, 2011 10:42 AM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 9:26 AM, Mathew Samuel wrote:
> Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Good.
> Also tried with "<url-pattern>/*</url-pattern>" but it produced the
> same result in that what loads is basically a text-based page with no
> images, no functionality behind buttons.
:(
Can you post a snippet of page source where everything is broken? Also post the same snippet where the CsrfPreventionFilter is disabled.
Are you fronting Tomcat with Apache httpd or some other web server?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fHtAACgkQ9CaO5/Lv0PBISQCgj2vuYdDk5mGjcd2H6UP7Noxl
j/kAn1m+9vWwNTosyjug2k+UnRu1o6kh
=YYZH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 9:26 AM, Mathew Samuel wrote:
> Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Good.
> Also tried with "<url-pattern>/*</url-pattern>" but it produced the
> same result in that what loads is basically a text-based page with no
> images, no functionality behind buttons.
:(
Can you post a snippet of page source where everything is broken? Also
post the same snippet where the CsrfPreventionFilter is disabled.
Are you fronting Tomcat with Apache httpd or some other web server?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fHtAACgkQ9CaO5/Lv0PBISQCgj2vuYdDk5mGjcd2H6UP7Noxl
j/kAn1m+9vWwNTosyjug2k+UnRu1o6kh
=YYZH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Help with CsrfPreventionFilter
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
Thanks for your suggestion.
Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Also tried with "<url-pattern>/*</url-pattern>" but it produced the same result in that what loads is basically a text-based page with no images, no functionality behind buttons.
So basically tried with this:
<!-- Csrf prevention filter -->
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/do/Start</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
i.e. used "/*" instead of "*" but still the same resulting webpage without my images etc.
Any other ideas that I can try?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, April 07, 2011 5:02 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff,
On 4/7/2011 12:08 PM, Mathew Samuel wrote:
> <filter-mapping>
> <filter-name>CSRFPreventionFilter</filter-name>
> <url-pattern>*</url-pattern>
> </filter-mapping>
The javadoc for that class says that the filter should be mapped to "/*"
not "*".
> Notice that as an entry point I have specified '/do/Start' which is
> fine up to a point. Meaning that the Start page does load. Trouble is
> that what loads is basically what looks like a text-based page. No
> images, no functionality behind buttons. Just wondering if some one
> has had success using this particular filter and could give me
> pointers or perhaps an example on how I can properly use it.
Does the webapp work properly when the CsrfPreventionListener is not enabled? If so, I'll bet that invalid URL pattern is somehow involved.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2eJlIACgkQ9CaO5/Lv0PCGRgCfTTI5f8lIdMkAlh/Jp9NvNnn6
pfEAn2xMFcXmD9ANtTIGoNm0Kc2YHzsF
=Y2Jb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff,
On 4/7/2011 12:08 PM, Mathew Samuel wrote:
> <filter-mapping>
> <filter-name>CSRFPreventionFilter</filter-name>
> <url-pattern>*</url-pattern>
> </filter-mapping>
The javadoc for that class says that the filter should be mapped to "/*"
not "*".
> Notice that as an entry point I have specified '/do/Start' which is
> fine up to a point. Meaning that the Start page does load. Trouble is
> that what loads is basically what looks like a text-based page. No
> images, no functionality behind buttons. Just wondering if some one
> has had success using this particular filter and could give me
> pointers or perhaps an example on how I can properly use it.
Does the webapp work properly when the CsrfPreventionListener is not
enabled? If so, I'll bet that invalid URL pattern is somehow involved.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2eJlIACgkQ9CaO5/Lv0PCGRgCfTTI5f8lIdMkAlh/Jp9NvNnn6
pfEAn2xMFcXmD9ANtTIGoNm0Kc2YHzsF
=Y2Jb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help with CsrfPreventionFilter
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/4/7 Mathew Samuel <Ma...@entrust.com>:
> Just wondering if some one has had success using this particular filter and could give me pointers or perhaps an example on how I can properly use it.
The manager and host-manager webapps bundled with Tomcat are using this filter.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org