tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: CSRF on multiple tomcat instances
Date Tue, 06 Nov 2012 03:59:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wilfred,

On 11/5/12 4:08 AM, Wilfred Duizers wrote:
> When a user clicks a link in the webapplication running on Tomcat 
> instance 1 (portal) an application running on Tomcat instance 2 is 
> opened. Is it possible to send the nonce with the link? Because
> it's running another instance.....
> 
> Do you see a solution anyway....both tomcat instances use the same
>  domain https://www.example.com
> 
> They use isapi

I'm not sure ISAPI is relevant, here, but good to know.

So, first of all -- have you tried it? The CSRFPreventionFilter stores
its nonce cache (a Serializable object) in the session. If you are
using clustered sessions, then it should Just Work.

If you have other (as yet undisclosed) requirements, I'm guessing that
Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs,
though it should be trivial to subclass it and customize the parts
that you need to work differently. If your improvements are decent, I
would encourage you to contribute back to the community.

If I had to do this, I would look at modifying the existing
CSRFPreventionFilter such that its storage mechanism was pluggable, so
you could specify a class that did something simple like:

   public LruCache<String> getNonceCache(HttpSession)
   public void setNonceCache(HttpSession,LruCache)

If you wanted to make it a bit more high-throughput, you could make
the methods more fine-grained so you didn't have to push-and-pull the
whole cache each time. The code is more complicated, but potentially
more flexible.

Once that's done, just implement a global nonce cache using something
like webcache or your favorite key-value store (where the key is
something like session id + ".csrfCache"). Just remember to expire the
nonce caches when the user's session dies or you will end up with a
big, fat, messy database (and might even exhaust system resources if
you are using an in-memory solution like webcache).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCYiw8ACgkQ9CaO5/Lv0PC4gwCdEIUNBxv5nLz9arlMA4v1JQlu
LCMAn1mV0a87+D3D3e1TFsyk4bAO5zKP
=FLeY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message