tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Found org.apache.catalina.filters.CSRF_NONCE
Date Fri, 15 Apr 2011 19:49:09 GMT
Hash: SHA1


On 4/15/2011 3:42 PM, Mathew Samuel wrote:
>  However the exception I received back was the following: 
> java.lang.ClassCastException:
> org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be
> cast to java.lang.String
> Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not
> a String but something else. In the API description for
> org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is
> only two methods: add and contains. Neither of which would help me
> access the value of this CSRF_NONCE.

Right: it's supposed to store nonces and let you look them up. There is
a psuedo-current nonce for the request -- the one stored in the response
wrapper object created by the CsrfPreventionFilter.

> And maybe I'm going about this all wrong, and how this works, but
> what I was thinking about doing was to grab what I had presumed to be
> a value from the Attribute org.apache.catalina.filters.CSRF_NONCE and
> ensure that value gets propagated so that when the XSLT does it's
> transformation it will be there included with the link (we don't use
> JSP).

Do you have access to the response object (HttpServletResponse) itself?
It would be far easier to call response.encodeURL and everything will work.

> I am going about this correctly right? If so is there a value from
> org.apache.catalina.filters.CSRF_NONCE that I should be able to
> extract? Like the actual nonce value?

Nope: it looks like it's an opaque store where the caller needs to know
a priori what nonce will be used.

If you are really desperate, you could just generate a new nonce and add
it to the cache ;)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message