tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Help regarding CSRF Filter in Tomcat 7
Date Fri, 16 Nov 2012 10:01:01 GMT
Vijaya Kumar wrote:
> Hi, 
> I work on a web application that is vulnerable to CSRF(Cross Site Request Forgery) attack.
Tomcat 7 has a CSRF prevention filter. I went through the description to configure this filter.

> This filter expects that we call HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).

> I see that in my application we don't use the above mentioned methods. Can you please
let me know whether there is any other way of using this filter without making calls to encodeURL()
or encodeRedirectURL()? 
> 
> To be precise, I am looking for a way to incorporate CSRF Filter in an already existing
application that doesn't use HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String).

> 
> Any help in this regard is appreciated. 
> 

Hi.
I am a bit of a novice in this area, but as far as I understand what a CSRF attack is 
(http://en.wikipedia.org/wiki/Cross-site_request_forgery), and what this filter does, it 
seems to me at least that if your are not using 
HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String) in

your application, then this filter would be unnecessary, and would not help anyway.

Why are you saying that your application is vulnerable to CSRF ?

(Note that the same Wikipedia page seems to provide various tips to make your application

less vulnerable to CSRF attacks in general).



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message