tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat not conforming to Servlet spec 2.4+ in regards to jsp:include
Date Mon, 08 Aug 2011 05:58:47 GMT
2011/8/8 Nadav Katz <nadav.katz@oracle.com>:
\>
> I have a filter in place for validating CSRF tokens. I only wish to validate requests
coming from the client, so no validation for dynamic includes or forwards. My web.xml for
the filter looks like this:
>
> <filter-mapping>
>         <filter-name>CSRFFilter</filter-name>
>         <url-pattern>*.jsp</url-pattern>
>         <servlet-name>SomeServlet</servlet-name>
> </filter-mapping>
>
>(...)
>
> <jsp:include page="/SomeServlet" flush="true" >
>         <jsp:param name="action" value="9" />
>     </jsp:include>
>

What if you remove "<url-pattern>*.jsp</url-pattern>" line from the
above filter-mapping?

BTW, to strictly follow the specs, one has to run Tomcat with
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
-- see System Properties page in Configuration Reference. You can add
the above line to catalina.properties. It should not change anything
for this use case though.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message