tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akash Jain <akash.delh...@gmail.com>
Subject Re: CSRF protection in Tomcat 7
Date Mon, 24 Mar 2014 21:39:21 GMT
On Mon, Mar 24, 2014 at 1:33 PM, Daniel Mikusa <dmikusa@gopivotal.com>wrote:

> On Mar 24, 2014, at 4:24 PM, Akash Jain <akash.delhite@gmail.com> wrote:
>
> > Yes, it uses LinkedHashMap internally which is not thread safe.
> >
> http://tomcat.10.x6.nabble.com/CsrfPreventionFilter-LRU-cache-td2113069.html
>
> First, please don't top post.  The convention adopted by this list is to
> reply inline or at the bottom.
>
> I don't see what you mean here.  Using LinkedHashMap does not
> automatically mean there will be threading issues and the link you've
> referenced is not discussing a threading issue.
>
> Can you explain your concern more?
>

Version used is 7.0.52 ..its old thread but I want to know if Tomcat's
inbuilt CSRF filter is thread safe or not ? As there are other CSRF
protection mechanism like spring security's , so if tomcat is good then we
need not consider other options.

>
> Dan
>
>
> >
> >
> > On Mon, Mar 24, 2014 at 1:09 PM, Daniel Mikusa <dmikusa@gopivotal.com
> >wrote:
> >
> >> On Mar 24, 2014, at 3:49 PM, Akash Jain <akash.delhite@gmail.com>
> wrote:
> >>
> >>> How can I prevent CSRF protection using Tomcat 7 ?
> >>>
> >>> I have heard that tomcat 7 provides CSRF filter
> >>>
> >>
> http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html
> >>
> >> Yes.  The manager application uses it.  You could look at the source
> code,
> >> if you need an example.
> >>
> >>> But is it thread safe ?
> >>
> >> I do not know off the top of my head.  Is there a reason that you are
> >> asking?  Have you seen something that would indicate that it is not?
> >>
> >> Dan
> >>
> >>> Or shall we do a custom protection in our spring 3 application ?
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message