From users-return-222478-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Fri Mar 04 09:43:16 2011 Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 29415 invoked from network); 4 Mar 2011 09:43:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 Mar 2011 09:43:16 -0000 Received: (qmail 85175 invoked by uid 500); 4 Mar 2011 09:43:12 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 85129 invoked by uid 500); 4 Mar 2011 09:43:12 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 85119 invoked by uid 99); 4 Mar 2011 09:43:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 09:43:12 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 04 Mar 2011 09:43:12 +0000 Received: (qmail 29383 invoked by uid 99); 4 Mar 2011 09:42:51 -0000 Received: from localhost.apache.org (HELO [192.168.23.9]) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2011 09:42:51 +0000 Message-ID: <4D70B418.90907@apache.org> Date: Fri, 04 Mar 2011 09:42:48 +0000 From: Mark Thomas User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: CsrfPreventionFilter References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit On 04/03/2011 09:35, spring@gmx.eu wrote: > Hi, > > 2 questions: > > 1. Are there any plans to implement wildcard (e.g. ANT-like) matching for > the entrypoints of the CsrfPreventionFilter? > > I have several static ressources like css, images etc. which do not need a > nonce and I really cannot list all of them explicitly. The main problem are > urls in css files which are editable by the customer. Not at the moment. It should be easy enough to add 'entryPointPattern' or similar. Another option would be not to map the filter to /* but how easy that approach is will depend on how complex the url scheme is. > 2. Are the any plans to make the nonce-parameter name configurable? Not at the moment. Should be simple to do if required. For both of these enhancement requests in Bugzilla are they way to go. Enhancement requests that include patches tend to get looked at faster. If you need some pointers on build Tomcat / writing the patch just ask. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org