Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DFCBBE9B5 for ; Thu, 7 Feb 2013 10:19:51 +0000 (UTC) Received: (qmail 80360 invoked by uid 500); 7 Feb 2013 10:19:48 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 80051 invoked by uid 500); 7 Feb 2013 10:19:46 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 80021 invoked by uid 99); 7 Feb 2013 10:19:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Feb 2013 10:19:45 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of knst.kolinko@gmail.com designates 209.85.214.177 as permitted sender) Received: from [209.85.214.177] (HELO mail-ob0-f177.google.com) (209.85.214.177) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Feb 2013 10:19:38 +0000 Received: by mail-ob0-f177.google.com with SMTP id wc18so2488327obb.22 for ; Thu, 07 Feb 2013 02:19:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=N11fh/X+VB241RFV8/OC6q6YpX/5DLhPlFUQs2Pf8+M=; b=WJMBaXCR2Lnz4/ST1szeEoLIAN2XkgYjroG3PU3kEN4Xj61NISKL5mycDy4Gua/1kg qFsVUGPHszVr8bJ/eSrlNf4kwF1HQmTO8FgxDXfknh9lCTEaBDCMbvG1N40no1Ojxp17 BK7KblQXLoltePZfxYsamgakK8FceQ6l5OR3Id+5HL+nsE90Gm9sw8SAQ57m3eIeEByY b+VOPQaH47Ak86E5Taf5JMpVo9mekJVFNHRgREvCWBwvW5kJ9hmD47ZWu9a/tKUI0OK+ hDW3syYPIuttRaSX8NmHChZGyx+iZd+C3wHCEMMuxeu4e+ciRxYqkQjgCPHlfNLntFzM doew== MIME-Version: 1.0 X-Received: by 10.182.15.5 with SMTP id t5mr502388obc.40.1360232358182; Thu, 07 Feb 2013 02:19:18 -0800 (PST) Received: by 10.76.83.10 with HTTP; Thu, 7 Feb 2013 02:19:18 -0800 (PST) In-Reply-To: <1360229534781-4993918.post@n6.nabble.com> References: <1360229534781-4993918.post@n6.nabble.com> Date: Thu, 7 Feb 2013 14:19:18 +0400 Message-ID: Subject: Re: CSRF and nonce Config ??? From: Konstantin Kolinko To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org 2013/2/7 N.s.Karthik : > Hi > > Spec > jsk1.6 > SuseLinux Enterprise10 > Tomcat 6.0.30 > Apache http2.2 > > I have read thru the URL > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html > for 'CSRF' and nonce > > But have been confused > > Is this 'CSRF prevented from within Tomcat 7 by default or is it > configurable by using the 'nonce' or something 1. You are using Tomcat 6. Why are you looking at Tomcat 7 documentation? 2. CsrfPreventionFilter is a filter that is used in the Tomcat Manager web application to prevent CSRF attacks. Any other web application that wants to use this feature has to configure this filter explicitly and must pass all important URLs through HttpServletResponse.encodeURL(). See Manager webapp for an example. 3. If you are planning to use this filter on your old version of Tomcat, beware of CVE-2012-4431 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org