You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Joe Tseng <jt...@secure-innovations.net> on 2016/08/31 20:08:55 UTC
Trying to use CsrfPreventionFilter
Hello,
I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and
my understanding of its use is I need to use a hidden value field with the
value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}.
Right now when I load the page the value is simply blank. As far as I know
the configuration is correct and my app restarts with no obvious issues. My
<appname>/WEB-INF/web.xml is as follows:
<filter>
<filter-name>CSRF</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/MIST,/MIST/,/MIST/login.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRF</filter-name>
<servlet-name>MISTmanager</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>MISTmanager</servlet-name>
<servlet-class>servlets.MISTmanager</servlet-class>
</servlet>
And my field is as follows:
<input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
value="${session['org.apache.catalina.filters.CSRF_NONCE']}" />
Is that the right way to get the value for CSRF_NONCE? If not, am I close?
Useful ideas appreciated!
- Joe