tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Help regarding CSRF Filter in Tomcat 7
Date Fri, 16 Nov 2012 16:12:17 GMT
Mark Thomas wrote:
> On 16/11/2012 10:01, André Warnier wrote:
>> Vijaya Kumar wrote:
>>> Hi, I work on a web application that is vulnerable to CSRF(Cross Site
>>> Request Forgery) attack. Tomcat 7 has a CSRF prevention filter. I went
>>> through the description to configure this filter. This filter expects
>>> that we call HttpServletResponse#encodeRedirectURL(String) or
>>> HttpServletResponse#encodeURL(String). I see that in my application we
>>> don't use the above mentioned methods. Can you please let me know
>>> whether there is any other way of using this filter without making
>>> calls to encodeURL() or encodeRedirectURL()?
>>> To be precise, I am looking for a way to incorporate CSRF Filter in an
>>> already existing application that doesn't use
>>> HttpServletResponse#encodeRedirectURL(String) or
>>> HttpServletResponse#encodeURL(String).
>>> Any help in this regard is appreciated.
>> Hi.
>> I am a bit of a novice in this area, but as far as I understand what a
>> CSRF attack is
>> (, and what this
>> filter does, it seems to me at least that if your are not using
>> HttpServletResponse#encodeRedirectURL(String) or
>> HttpServletResponse#encodeURL(String) in your application, then this
>> filter would be unnecessary, and would not help anyway.
> Wrong.
> In order for the CSRF prevention filter to work, an application must run
> all URLs through encodeRedirectURL() or encodeURL(). If applications
> don't do this, the filter can't add the nonce to the URL that is used to
> provide the CSRF protection.

Well, that's essentially what I was saying. Or am I missing something here ?

> Note: That filter is very generic and works for simple applications
> (e.g. Tomcat's HTML Manager app) but is likely to be quite tricky to set
> up for complex applications.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message