RE: Help with CsrfPreventionFilter

access to "org.apache.catalina.filters.CSRF_NONCE". I'm guessing that I should see this as an attribute of the session. Cheers, Matt -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 13, 2011 4:15 PM To: Tomcat Users Li

Re: Help with CsrfPreventionFilter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/12/2011 3:51 PM, Mathew Samuel wrote: > We don't make use of JSTL so I can't access it that way. > > We do use XSL that is run through a transform. And of course relevant > values are retrieved from the back end too. Depending on how to

RE: Help with CsrfPreventionFilter

. Cheers, Matt -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Sunday, April 10, 2011 6:22 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter 2011/4/11 Mathew Samuel : > Hi Konstantin, > > I will try to avoid mapping the filt

Re: Help with CsrfPreventionFilter

2011/4/11 Mathew Samuel : > Hi Konstantin, > > I will try to avoid mapping the filter to those paths as you have suggested > as yes that is another approach I can try. > > You had mentioned that the filter works by providing its own implementation > of encodeURL(). Is this a function I have to ex

RE: Help with CsrfPreventionFilter

that is already called as a result of using the CsrfPreventionFilter? Cheers, Matt -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Friday, April 08, 2011 4:53 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter 2011/4/8 Mathew Samuel

Re: Help with CsrfPreventionFilter

2011/4/8 Mathew Samuel : > Hi Chris, > > Thanks for your patience. So I've got CSRF to "work" at least to a certain > degree that it actually displays the page in it's entirety. But I literally > had to explicitly state each css, js, gif that was going to be referenced as > part of that page. So

Re: Help with CsrfPreventionFilter

Mathew Samuel wrote: Well so much for my last post with images. Essentially it was showing a screenshot when the filter was on and there were no images, no theme, nothing. And then the following one with it off which had everything in place. But HTML source is identical. Thanks for posting t

RE: Help with CsrfPreventionFilter

ristopherschultz.net] Sent: Friday, April 08, 2011 3:23 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 12:19 PM, Mathew Samuel wrote: > That was a good test suggestion, to compare the page source between > w

Re: Help with CsrfPreventionFilter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 12:19 PM, Mathew Samuel wrote: > That was a good test suggestion, to compare the page source between when > CSRF is on and off. What surprised me is that the page source between > the two is identical. > > But still with the CSRF

RE: Help with CsrfPreventionFilter

: Mathew Samuel [mailto:mathew.sam...@entrust.com] Sent: Friday, April 08, 2011 12:20 PM To: 'Tomcat Users List' Subject: RE: Help with CsrfPreventionFilter Hi Chris, That was a good test suggestion, to compare the page source between when CSRF is on and off. What surprised me is that the p

RE: Help with CsrfPreventionFilter

riday, April 08, 2011 10:42 AM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 9:26 AM, Mathew Samuel wrote: > Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter. Good. > Also

Re: Help with CsrfPreventionFilter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 9:26 AM, Mathew Samuel wrote: > Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter. Good. > Also tried with "/*" but it produced the > same result in that what loads is basically a text-based page with

RE: Help with CsrfPreventionFilter

e resulting webpage without my images etc. Any other ideas that I can try? Cheers, Matt -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 07, 2011 5:02 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -BEGI

Re: Help with CsrfPreventionFilter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, On 4/7/2011 12:08 PM, Mathew Samuel wrote: > > CSRFPreventionFilter > * > The javadoc for that class says that the filter should be mapped to "/*" not "*". > Notice that as an entry point I have specified '/do/Start'

Re: Help with CsrfPreventionFilter

2011/4/7 Mathew Samuel : > Just wondering if some one has had success using this particular filter and > could give me pointers or perhaps an example on how I can properly use it. The manager and host-manager webapps bundled with Tomcat are using this filter. Best regards, Konstantin Kolinko --

Help with CsrfPreventionFilter

Hi, I'm trying to make use of the CsrfPreventionFilter using 7.0.12 so this is what I have added to the relevant web.xml CSRFPreventionFilter org.apache.catalina.filters.CsrfPreventionFilter entryPoints /do/Start