You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Joe Tseng <jt...@secure-innovations.net> on 2016/08/31 20:08:55 UTC

Trying to use CsrfPreventionFilter

Hello,

I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and
my understanding of its use is I need to use a hidden value field with the
value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}.
Right now when I load the page the value is simply blank. As far as I know
the configuration is correct and my app restarts with no obvious issues. My
<appname>/WEB-INF/web.xml is as follows:

<filter>
  <filter-name>CSRF</filter-name>

<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
  <init-param>
   <param-name>entryPoints</param-name>
   <param-value>/MIST,/MIST/,/MIST/login.jsp</param-value>
  </init-param>
 </filter>
 <filter-mapping>
  <filter-name>CSRF</filter-name>
  <servlet-name>MISTmanager</servlet-name>
 </filter-mapping>
 <servlet>
  <servlet-name>MISTmanager</servlet-name>
  <servlet-class>servlets.MISTmanager</servlet-class>
 </servlet>

And my field is as follows:

<input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
value="${session['org.apache.catalina.filters.CSRF_NONCE']}" />

Is that the right way to get the value for CSRF_NONCE? If not, am I close?
Useful ideas appreciated!

 - Joe