tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject CSRF prevention filter and Tomcat 5/6
Date Fri, 07 May 2010 17:50:42 GMT
I'm trying to decide the best way to back-port the configuration of this 
to the (Host) Manager app in Tomcat 5 & 6.

The requirements are:
- not to break anything that currently works
- enable CSRF for the HTML interface
- the same user cannot have access to the HTML and text interfaces for 
the filter to be effective.

I can't see a way to meet all of these.

The options I am considering are:
A: change the role required to access the text interface to manager-text
    - consistent with Tomcat 7
    - will break tools currently using the manager role

B: comment out the mapping for the test interface
    - will break tools currently using the text interface

C: change the role required to access the HTML interface
    - not consistent with Tomcat 7
    - will break user access to the Manager GUI

D: Don't enable the filter by default but provide instructions on what 
to do if you do want to enable it in the docs. Something along the lines of:
- uncomment the Filter and filter mapping
- change the role used for the text and jmx interfaces (to match the new 
names in Tomcat 7)

I am currently leaning towards D along with some changes to the web.xml 
files that won't change current behaviour but will make it simpler to 
add the CSRF filter.

Thoughts?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message