tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Tseng <jts...@secure-innovations.net>
Subject Trying to use CsrfPreventionFilter
Date Wed, 31 Aug 2016 20:08:55 GMT
Hello,

I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and
my understanding of its use is I need to use a hidden value field with the
value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}.
Right now when I load the page the value is simply blank. As far as I know
the configuration is correct and my app restarts with no obvious issues. My
<appname>/WEB-INF/web.xml is as follows:

<filter>
  <filter-name>CSRF</filter-name>

<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
  <init-param>
   <param-name>entryPoints</param-name>
   <param-value>/MIST,/MIST/,/MIST/login.jsp</param-value>
  </init-param>
 </filter>
 <filter-mapping>
  <filter-name>CSRF</filter-name>
  <servlet-name>MISTmanager</servlet-name>
 </filter-mapping>
 <servlet>
  <servlet-name>MISTmanager</servlet-name>
  <servlet-class>servlets.MISTmanager</servlet-class>
 </servlet>

And my field is as follows:

<input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
value="${session['org.apache.catalina.filters.CSRF_NONCE']}" />

Is that the right way to get the value for CSRF_NONCE? If not, am I close?
Useful ideas appreciated!

 - Joe

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message