On Tue, Sep 2, 2014 at 5:21 PM, Daniel Mikusa <dmik...@pivotal.io> wrote:
>
>
>
> I didn't try curl. I believe it should work, assuming you send the right
> nonce.
>
>
> Okay.
> > So in order to get a nonce in the URL, did you first log in?
>
>
> Yes, but that was just because it was the quickest way to get a nonce to
> test. I just copied and pasted it.
>
> Another way to get the nonce would be to create a page like "links.jsp".
> On that page, you could just output the links.
>
> Ex:
>
> <%= response.encodeURL("heapused.jsp") %>
>
> As long as you're using "response.encodeURL", the nonce will be
> automatically added to the link. The only other thing you need to do is to
> add "/links.jsp" (or whatever URL you expose) to the "entryPoints"
> parameter of the CsrfPreventionFilter in web.xml (for the manager app).
> You could then modify your script to hit the link and grab the list of
> URLs with nonce included.
>
> I suppose you could also just list your custom JSP pages as entryPoints,
> however that's going to bypass the CsrfProtectionFilter for them. Please
> note the caution provided in the entry points documentation "Entry points
> will be limited to HTTP GET requests and should not trigger any security
> sensitive actions."
>
> Also, if you don't care you could just remove the CsrfProtectionFilter, but
> it's not something I would recommend.
>
>
Great! I'll give that a try.
Thanks!
-Shanti
