You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mathew Samuel <Ma...@entrust.com> on 2011/04/15 21:42:35 UTC
Found org.apache.catalina.filters.CSRF_NONCE
Hi,
Thanks for all the help. Looks like I was able to find org.apache.catalina.filters.CSRF_NONCE. I was so happy I could have cried.
It was part of an HttpSession object that had an attribute of org.apache.catalina.filters.CSRF_NONCE. Not sure why I couldn't find it before but perhaps I was either checking the wrong HttpSession Object before or checking it at the wrong time or something.
So now onto my next issue, I tried to so the following:
String nonce = (String)session.getAttribute("org.apache.catalina.filters.CSRF_NONCE");
However the exception I received back was the following:
java.lang.ClassCastException: org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be cast to java.lang.String
Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else. In the API description for org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is only two methods: add and contains. Neither of which would help me access the value of this CSRF_NONCE.
And maybe I'm going about this all wrong, and how this works, but what I was thinking about doing was to grab what I had presumed to be a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and ensure that value gets propagated so that when the XSLT does it's transformation it will be there included with the link (we don't use JSP).
I am going about this correctly right? If so is there a value from org.apache.catalina.filters.CSRF_NONCE that I should be able to extract? Like the actual nonce value?
Cheers,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 4:11 PM, Mathew Samuel wrote:
> It does not appear like I have access to HttpServletResponse. Damn.
> So if I did have access to that then I could just call
> response.encodeURL and everything would seriously just auto-magically
> work?
Yes.
> Any other way, or Object, I can use in its place?
>
> I like your idea Chris of generating a new nonce and adding it to the
> cache. Trouble is that generateNonce() procedure from
> org.apache.catalina.filters.CsrfPreventionFilter is protected so I
> can't use that. Well, unless I subclass it of course. Is that what
> you were thinking?
Make up your own. The generateNonce method just generates a random
string... you ought to be able to do that in your code, somehow.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2xhvsACgkQ9CaO5/Lv0PDmDgCgl3/dsVEOKsj9ZZKONgSsG7p6
DF8An2SMEtH/SY4S2BZmOsYJGuGqn72h
=MljX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Hi Chris,
It does not appear like I have access to HttpServletResponse. Damn. So if I did have access to that then I could just call response.encodeURL and everything would seriously just auto-magically work?
Any other way, or Object, I can use in its place?
I like your idea Chris of generating a new nonce and adding it to the cache. Trouble is that generateNonce() procedure from org.apache.catalina.filters.CsrfPreventionFilter is protected so I can't use that. Well, unless I subclass it of course. Is that what you were thinking?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 15, 2011 3:49 PM
To: Tomcat Users List
Subject: Re: Found org.apache.catalina.filters.CSRF_NONCE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is a psuedo-current nonce for the request -- the one stored in the response wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but what
> I was thinking about doing was to grab what I had presumed to be a
> value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/15/2011 3:42 PM, Mathew Samuel wrote:
> However the exception I received back was the following:
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
>
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.
Right: it's supposed to store nonces and let you look them up. There is
a psuedo-current nonce for the request -- the one stored in the response
wrapper object created by the CsrfPreventionFilter.
> And maybe I'm going about this all wrong, and how this works, but
> what I was thinking about doing was to grab what I had presumed to be
> a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).
Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.
> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?
Nope: it looks like it's an opaque store where the caller needs to know
a priori what nonce will be used.
If you are really desperate, you could just generate a new nonce and add
it to the cache ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw
8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5
=JKIa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by Mathew Samuel <Ma...@entrust.com>.
Well that's embarrassing. Thanks Chuck!
In my own defense I had read his response and didn't really understand it so it swiftly left my mind. Then suddenly I could access that Attribute and now in hindsight his response makes sense to me.
Feels like half the time I'm defending myself on this forum. But truly if it wasn't for all your contributions I would not have even progressed this far. Thank you.
Cheers,
Matt
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, April 15, 2011 3:47 PM
To: Tomcat Users List
Subject: RE: Found org.apache.catalina.filters.CSRF_NONCE
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce, because it calls
> > HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Found org.apache.catalina.filters.CSRF_NONCE
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mathew Samuel [mailto:Mathew.Samuel@entrust.com]
> Subject: Found org.apache.catalina.filters.CSRF_NONCE
> now I know that the org.apache.catalina.filters.CSRF_NONCE is not a String but something else.
Actually, Konstantin told you that several hours ago:
> > 1) ${session['org.apache.catalina.filters.CSRF_NONCE']}
> > 2) The value of the above is some object (a cache) not a String.
> > It cannot be used as a <c:param> value.
> > 3) c:url already takes care of the nonce,
> > because it calls HttpServletResponse.encodeURL(..)
Perhaps you should go back and read his complete response:
http://marc.info/?l=tomcat-user&m=130287556712594&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org