Re: CsrfPreventionFilter for REST

2015-10-22 Thread Violeta Georgieva
Hi, 2015-09-17 10:55 GMT+03:00 Christoph Nenning : > > Violeta, > > > > > > > Hello, > > > > > > > > ** ** > > > > > > > > *Background information:* > > > > > > > > We are trying to protect our RESTful > > > > APIs > > > > from > >

Re: CsrfPreventionFilter for REST

2015-09-17 Thread Christoph Nenning
Violeta, > > > Hello, > > > > > > ** ** > > > > > > *Background information:* > > > > > > We are trying to protect our RESTful > > > APIs > > > from > > > CSRF attack. > > > > > > The current Tomcat’s CSRF protection filter pr

Re: CsrfPreventionFilter for REST

2015-09-16 Thread Violeta Georgieva
Hi, 2012-09-26 12:21 GMT+03:00 Konstantin Kolinko : > > 2012/9/22 Violeta Georgieva : > > Hello, > > > > ** ** > > > > *Background information:* > > > > We are trying to protect our RESTful > > APIs > > from > > CSRF attack. > >

Re: CsrfPreventionFilter for REST

2012-09-26 Thread Konstantin Kolinko
2012/9/22 Violeta Georgieva : > Hello, > > ** ** > > *Background information:* > > We are trying to protect our RESTful > APIs > from > CSRF attack. > > The current Tomcat’s CSRF protection filter provides proper protection for >

Re: CsrfPreventionFilter for REST

2012-09-25 Thread Violeta Georgieva
Hi, Did you have a chance to check the issue and the proposal? Can I provide more information in order to make to them clearer? Thanks a lot. Violeta 2012/9/21 Violeta Georgieva >Hello, > > ** ** > > *Background information:* > > We are trying to protect our RESTful > APIs

Re: CsrfPreventionFilter - LRU cache

2011-11-04 Thread Francis GALIEGUE
On Fri, Nov 4, 2011 at 20:23, Mark Thomas wrote: [...] > > I think the thing to do here is to work out what the 'best' solution is > and fix the docs/code accordingly. I think LRU is the way to go in which > case the current code needs fixing. > I see more arguments for the LRU case: when a CSRF

Re: CsrfPreventionFilter - LRU cache

2011-11-04 Thread Mark Thomas
On 04/11/2011 13:14, Pete Gould wrote: > Hi, > > I have recently been using > the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the > documentation for setNonceCacheSize states: > > "Sets the number of previously issued nonces that will be cached on a > LRU basis to support

Re: CsrfPreventionFilter - LRU cache

2011-11-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete, On 11/4/11 1:06 PM, Pete Gould wrote: > Okay, great. I guess that I should raise a bug for this then. > > The reason that I think that add() needs to change is that it used > to be: > > cache.put(key, null); > > and therefore cache.contains()

Re: CsrfPreventionFilter - LRU cache

2011-11-04 Thread Pete Gould
Hi, Okay, great. I guess that I should raise a bug for this then. The reason that I think that add() needs to change is that it used to be: cache.put(key, null); and therefore cache.contains() would return null as it would have to change to use get(). This is because we can no longer use cont

Re: CsrfPreventionFilter - LRU cache

2011-11-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pete, On 11/4/11 9:14 AM, Pete Gould wrote: > I have recently been using the > org.apache.catalina.filters.CsrfPreventionFilter, and I notice that > the documentation for setNonceCacheSize states: > > "Sets the number of previously issued nonces that

Re: CsrfPreventionFilter

2011-03-04 Thread Mark Thomas
On 04/03/2011 09:35, spr...@gmx.eu wrote: > Hi, > > 2 questions: > > 1. Are there any plans to implement wildcard (e.g. ANT-like) matching for > the entrypoints of the CsrfPreventionFilter? > > I have several static ressources like css, images etc. which do not need a > nonce and I really cannot