tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Tseng <>
Subject Trying to use CsrfPreventionFilter
Date Wed, 31 Aug 2016 20:08:55 GMT

I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and
my understanding of its use is I need to use a hidden value field with the
value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}.
Right now when I load the page the value is simply blank. As far as I know
the configuration is correct and my app restarts with no obvious issues. My
<appname>/WEB-INF/web.xml is as follows:



And my field is as follows:

<input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE"
value="${session['org.apache.catalina.filters.CSRF_NONCE']}" />

Is that the right way to get the value for CSRF_NONCE? If not, am I close?
Useful ideas appreciated!

 - Joe

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message