gt;
>>> On 11/10/19 19:05, Peter Kreuser wrote: Chris,
>>>
>>>>
>>>> Am 09.11.2019 um 03:58 schrieb Christopher Schultz
>>>> :
>>>>
>>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>>
&
eb Christopher Schultz
>>> :
>>>
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>>
>>> All,
>>>
>>> I'm playing with the CsrfPreventionFilter and things are working
>>> well in the following situations:
>>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Peter,
On 11/10/19 19:05, Peter Kreuser wrote:
> Chris,
>
>>
>> Am 09.11.2019 um 03:58 schrieb Christopher Schultz
>> :
>>
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> All,
>
> All,
>
> I'm playing with the CsrfPreventionFilter and things are working well
> in the following situations:
>
> link text
>
> and
>
>
> ...
>
>
> As long as the URL has been passed through request.encodeURL().
>
> However, this
Chris,
>
> Am 09.11.2019 um 03:58 schrieb Christopher Schultz
> :
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> All,
>
> I'm playing with the CsrfPreventionFilter and things are working well
> in the following situations:
>
> link
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
I'm playing with the CsrfPreventionFilter and things are working well
in the following situations:
link text
and
...
As long as the URL has been passed through request.encodeURL().
However, this one is causing me a problem:
...
I want to have my landing page be accessible without using a nonce but
right now I'm getting a 403. I do have a separate login page that works
without a nonce.
The pertinent section of my web.xml is as follows:
entryPoints
/, /login.jsp, /JS/MIST.js
I also tried "/*" without success. I
Hello,
I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and
my understanding of its use is I need to use a hidden value field with the
value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}.
Right now when I load the page the value is simpl
exact token value and the value is random.
> > >
> > > If you are constantly receiving 403 on your POST requests it means
> > > that you are requesting wrong URL (one that does not contain the CSRF
> > > token) or your requests are not a part of the session.
>
e requesting wrong URL (one that does not contain the CSRF
> > token) or your requests are not a part of the session.
> >
> >
> > > The only stable solution is again based on Synchronizer Token
> > > Pattern<
> https://www.owasp.org/index.php/Cross-Site_Req
F%29_Prevention_Cheat_Sheet
>
> > but
> > instead of encoded in URLs, the csrf token value can be transferred from
> > and to the client through a custom csrf token header. The rest csrf
token
> > value needs to be stored in some sort of state on client and server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Utkarsh,
On 3/21/14, 3:01 AM, Utkarsh Dave wrote:
> Thanks Konstantin. My version of TOMCAT is 7.0.41 you said with
> this configuration i will not be able to access ROOT/index.html or
> any of the images, css or js files. What can i do to overcome
Thanks Konstantin.
My version of TOMCAT is 7.0.41
you said with this configuration i will not be able to access
ROOT/index.html or any of the images, css or js files.
What can i do to overcome this if i still want to go ahead configuring the
$TOMCAT_HOME/conf/web.xml. Can i add them in entryPoints.
2014-03-21 10:09 GMT+04:00 Utkarsh Dave :
> Hi all,
>
> I am trying to configure the Tomcat inbuilt filter
> (tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml
1. The above file provides defaults for all web applications. It is
unwise to modify it.
E.g. with such configur
Hi all,
I am trying to configure the Tomcat inbuilt filter
(tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml
CSRF
org.apache.catalina.filters.CsrfPreventionFilter
entryPoints
/index.jsp
CSRF
ue can be transferred from
> and to the client through a custom csrf token header. The rest csrf token
> value needs to be stored in some sort of state on client and server side.
> In addition REST clients need to adopt this csrf token transfer mechanism.**
> **
>
> *Proposal:*
&
gt;
> but
> instead of encoded in URLs, the csrf token value can be transferred from
> and to the client through a custom csrf token header. The rest csrf token
> value needs to be stored in some sort of state on client and server side.
> In addition REST clients need to adopt th
lue needs to be stored in some sort of state on client and server side.
In addition REST clients need to adopt this csrf token transfer mechanism.**
**
*Proposal:*
You can find on the link
https://docs.google.com/open?id=0B-HUwAvkRIKJTVViWUFkNFl6alU , the
CsrfPreventionFilter extended so that i
Rainer Jung wrote:
>On 23.07.2012 13:38, Mark Thomas wrote:
>> On 23/07/2012 11:10, Rainer Jung wrote:
>>> The cluster needs to be able to serialize sessions in order to
>replicate
>>> them over the network. The message indicates, that the sesison
>attribute
>>> org.apache.catalina.filters.CSRF_N
On 23.07.2012 13:38, Mark Thomas wrote:
On 23/07/2012 11:10, Rainer Jung wrote:
The cluster needs to be able to serialize sessions in order to replicate
them over the network. The message indicates, that the sesison attribute
org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not
Yes my environment is a clustered one.
Thanks Rainer for the quick response, this was really helpful.
On Mon, Jul 23, 2012 at 3:40 PM, Rainer Jung wrote:
>
>
> It seems you are doing clustering?
>
> The cluster needs to be able to serialize sessions in order to replicate
> them over the network.
On 23/07/2012 11:10, Rainer Jung wrote:
> The cluster needs to be able to serialize sessions in order to replicate
> them over the network. The message indicates, that the sesison attribute
> org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not
> serializable.
>
> You might
>
> -
On 23.07.2012 12:00, Nikhil Dhankani wrote:
Hi,
I am trying to configure CSRFPreventionFilter with the below code in my
web.xml.
CSRF
org.apache.catalina.filters.CsrfPreventionFilter
CSRF
/*
But tomcat fails to start with below error,
Jul 22, 2012 11:57:17 PM
Hello Mark
Thanks for the info.
- Ganesh
On Fri, Dec 23, 2011 at 3:30 PM, Mark Thomas wrote:
> On 23/12/2011 19:45, Ganesh Dhakshinamurthy wrote:
> >>
> >> Hi
> >> I recently came across an issue reported regarding the LRU
> >> cache implementation in Csr
On 23/12/2011 19:45, Ganesh Dhakshinamurthy wrote:
>>
>> Hi
>> I recently came across an issue reported regarding the LRU
>> cache implementation in CsrfPreventionFilter. It was reported that FIFO was
>> implemented instead of LRU. We are facing an issue in our a
>
> Hi
> I recently came across an issue reported regarding the LRU
> cache implementation in CsrfPreventionFilter. It was reported that FIFO was
> implemented instead of LRU. We are facing an issue in our application due
> this, [Nonce tokens getting rejected]. I searched in th
On Fri, Nov 4, 2011 at 20:23, Mark Thomas wrote:
[...]
>
> I think the thing to do here is to work out what the 'best' solution is
> and fix the docs/code accordingly. I think LRU is the way to go in which
> case the current code needs fixing.
>
I see more arguments for the LRU case: when a CSRF
to
> determine what the original intention is first - based on the Javadoc it
> would suggest that the intention is for the cache to be LRU, could anyone
> here confirm that?
I wrote the initial implementation of the CsrfPreventionFilter and I
honestly can't remember whether I actuall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete,
On 11/4/11 1:06 PM, Pete Gould wrote:
> Okay, great. I guess that I should raise a bug for this then.
>
> The reason that I think that add() needs to change is that it used
> to be:
>
> cache.put(key, null);
>
> and therefore cache.contains()
Hi,
Okay, great. I guess that I should raise a bug for this then.
The reason that I think that add() needs to change is that it used to be:
cache.put(key, null);
and therefore cache.contains() would return null as it would have to change
to use get(). This is because we can no longer use cont
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete,
On 11/4/11 9:14 AM, Pete Gould wrote:
> I have recently been using the
> org.apache.catalina.filters.CsrfPreventionFilter, and I notice that
> the documentation for setNonceCacheSize states:
>
> "Sets the number of previously issued nonces that
Hi,
I have recently been using
the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the
documentation for setNonceCacheSize states:
"Sets the number of previously issued nonces that will be cached on a
LRU basis to support parallel requests..."
However, looking at the implemen
st
Subject: Re: Help with CsrfPreventionFilter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mathew,
On 4/12/2011 3:51 PM, Mathew Samuel wrote:
> We don't make use of JSTL so I can't access it that way.
>
> We do use XSL that is run through a transform. And of course relevant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mathew,
On 4/12/2011 3:51 PM, Mathew Samuel wrote:
> We don't make use of JSTL so I can't access it that way.
>
> We do use XSL that is run through a transform. And of course relevant
> values are retrieved from the back end too.
Depending on how to
.
Cheers,
Matt
-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Sunday, April 10, 2011 6:22 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
2011/4/11 Mathew Samuel :
> Hi Konstantin,
>
> I will try to avoid mapping the filt
a function I have to explicitly call
> or is it something that is already called as a result of using the
> CsrfPreventionFilter?
Something that you have to call explicitly. Though there are a number
other means to call it, e.g. c:url tag of JSTL calls it.
The filter wraps original re
that is already called as a result of using the CsrfPreventionFilter?
Cheers,
Matt
-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Friday, April 08, 2011 4:53 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
2011/4/8 Mathew Samuel
2011/4/8 Mathew Samuel :
> Hi Chris,
>
> Thanks for your patience. So I've got CSRF to "work" at least to a certain
> degree that it actually displays the page in it's entirety. But I literally
> had to explicitly state each css, js, gif that was going to be referenced as
> part of that page. So
Mathew Samuel wrote:
Well so much for my last post with images. Essentially it was showing a
screenshot when the filter was on and there were no images, no theme, nothing.
And then the following one with it off which had everything in place. But HTML
source is identical.
Thanks for posting t
that portion of the web.xml would look like:
CSRFPreventionFilter
org.apache.catalina.filters.CsrfPreventionFilter
entryPoints
/,/do/Start,/web/en_US/images/mail.gif,/web/en_US/images/logo.gif,/web/en_US/css/style.css,/web/en_US/css/genera
the page was
broken... there's no need for a screenshot to "show" that.
Are you saying that the CsrfPreventionFilter isn't modifying your static
content URLs /at all/? If that's the case, then you aren't running those
URLs through HttpServletResponse.encodeURL befor
: Mathew Samuel [mailto:mathew.sam...@entrust.com]
Sent: Friday, April 08, 2011 12:20 PM
To: 'Tomcat Users List'
Subject: RE: Help with CsrfPreventionFilter
Hi Chris,
That was a good test suggestion, to compare the page source between when CSRF
is on and off. What surprised me is that the p
riday, April 08, 2011 10:42 AM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mathew,
On 4/8/2011 9:26 AM, Mathew Samuel wrote:
> Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Good.
> Also
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mathew,
On 4/8/2011 9:26 AM, Mathew Samuel wrote:
> Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Good.
> Also tried with "/*" but it produced the
> same result in that what loads is basically a t
Hi Chris,
Thanks for your suggestion.
Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.
Also tried with "/*" but it produced the same result
in that what loads is basically a text-based page with no images, no
functionality behind buttons.
So basic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeff,
On 4/7/2011 12:08 PM, Mathew Samuel wrote:
>
> CSRFPreventionFilter
> *
>
The javadoc for that class says that the filter should be mapped to "/*"
not "*".
> Notice that as an entr
2011/4/7 Mathew Samuel :
> Just wondering if some one has had success using this particular filter and
> could give me pointers or perhaps an example on how I can properly use it.
The manager and host-manager webapps bundled with Tomcat are using this filter.
Best regards,
Konstantin Kolinko
--
Hi,
I'm trying to make use of the CsrfPreventionFilter using 7.0.12 so this is what
I have added to the relevant web.xml
CSRFPreventionFilter
org.apache.catalina.filters.CsrfPreventionFilter
entryPoints
/do/
On 04/03/2011 09:35, spr...@gmx.eu wrote:
> Hi,
>
> 2 questions:
>
> 1. Are there any plans to implement wildcard (e.g. ANT-like) matching for
> the entrypoints of the CsrfPreventionFilter?
>
> I have several static ressources like css, images etc. which do not nee
Hi,
2 questions:
1. Are there any plans to implement wildcard (e.g. ANT-like) matching for
the entrypoints of the CsrfPreventionFilter?
I have several static ressources like css, images etc. which do not need a
nonce and I really cannot list all of them explicitly. The main problem are
urls in
50 matches
Mail list logo
