Hello,
I have a filter in place for validating CSRF tokens. I only wish to validat=
e requests coming from the client, so no validation for dynamic includes or=
forwards. My web.xml for the filter looks like this:
<filter-mapping>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <filter-name>CSRFFilter</filter-name>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <url-pattern>*.jsp</url-pattern>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <servlet-name>SomeServlet</servlet-name>
</filter-mapping>
Servlet spec 2.4+ states under RequestDispatcher:
"The request is being processed under a request dispatcher representing the=
Web component matching the or using an include() call. This is indicated b=
y a element with value INCLUDE."
In other words, my filter shouldn't be invoked for jsp:include calls to Som=
eServlet since they are handled by the RequestDispatcher, and I have no exp=
licit mapping for<dispatcher>INCLUDE</dispatcher>...
But somehow it is... My filter intercepts all calls, including "jsp:include=
"...
This is the (one of the...) problematic calls:
<jsp:include page=3D"/SomeServlet" flush=3D"true" >
=C2=A0 =C2=A0 =C2=A0 =C2=A0 <jsp:param name=3D"action" value=3D"9" />
=C2=A0 =C2=A0 </jsp:include>
Can anyone shed any light on this? I tried bypassing the problem by adding =
a "filtered" param to the request and checking it later (since the original=
request is supposed to be forwarded), but to no avail. It seems Tomcat is =
creating a new request object. Any ideas anyone? Is it a configuration issu=
e? A bug in Tomcat? Am I a complete moron??
Thanks for any help,
Dave
=C2=A0
|