tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: CSRF and nonce Config ???
Date Thu, 07 Feb 2013 10:19:18 GMT
2013/2/7 N.s.Karthik <nskarthik.k@gmail.com>:
> Hi
>
> Spec
> jsk1.6
> SuseLinux Enterprise10
> Tomcat 6.0.30
> Apache http2.2
>
> I have read thru the URL
> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
> for 'CSRF'  and nonce
>
> But have been confused
>
> Is this 'CSRF prevented from within Tomcat 7 by default  or  is it
> configurable by using the 'nonce'  or something

1. You are using Tomcat 6. Why are you looking at Tomcat 7 documentation?

2. CsrfPreventionFilter is a filter that is used in the Tomcat Manager
web application to prevent CSRF attacks.

Any other web application that wants to use this feature has to
configure this filter explicitly and must pass all important URLs
through HttpServletResponse.encodeURL().

See Manager webapp for an example.

3. If you are planning to use this filter on your old version of
Tomcat, beware of CVE-2012-4431

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message