All,
I'm experimenting with the CsrfPreventionFilter in Tomcat 8.5. I've had
issues with it in the past so I haven't actually enabled it in any of my
applications, but I'm sufficiently motivated at this point to get it done.
My "application" is actually split up into two applications, each
running in a separate JVM but in the same URL space. I have a
reverse-proxy that figures this all out and it's been working for years.
I don't see why this wouldn't work.
I have enabled CSRF prevention in Application A which is the "primary
application" and the secondary application (Application B) is capable of
mimicking/proxying the csrf token back to Application A.
Application B has a feature where we present a web form to the user.
It's fairly simple (paraphrasing):
<form method="POST" action="/application_a/save_comment">
<textarea name="comment"></textarea>
</form>
When I submit this form, I get an HTTP 403 response. Our application
doesn't send 403 responses. When I remove the CsrfPreventionFilter from
the configuration) by commenting-out the <filter-mapping> in
WEB-INF/web.xml, I do not get the 403 response and the form submission
is successful. I'm sure that the CSRF token is *NOT* in the POST
request: the browser shows me what is sent and it's not there. I have
hacked the form and added the token, submitted it, and it /works/.
But this is an HTTP POST and should be ignored by the filter.
So I figure I'll enable logging and see what's happening. There isn't
much logging in CsrfPreventionFilter, so I add this line to the
beginning of the skipNonceCheck method:
log.trace("skipNonceCheck(" + request.getMethod() + " " +
request.getRequestURI() + ")");
I build-from-source and launch my custom-build Tomcat with my
application in it. No logging. Oh, right... logging.properties. So I add
this to my conf/logging.properties file:
org.apache.catalina.filters.CsrfPreventionFilter.level = FINEST
To be sure there's no funny business, I use "catalina.sh run" and wait
for the console log to settle down. I make a few requests. No logs. Hmm.
Oh, the ConsoleAppender is set to FINE and not FINEST.
java.util.logging.ConsoleHandler.level = FINEST
Done. CTRL-C, catalina.sh run. Make some requests.
Nothing. Okay.... maybe the Filter is just ignoring these for some
reason. So I add this line to the beginning of doFilter, before anything
else happens:
log.trace("doFilter(" + request + ")");
Re-build. CTRL-C. catalina.sh run. Make some requests.
Nothing.
The Filter is absolutely running. If I reload a page, the csrf tokens on
all the links are changing. What's going on?
You'd think a Tomcat committer could figure out how to make logging work.
My application is using log4j2, but that library is only used by the
application and the JAR file is in WEB-INF/lib/. I wouldn't expect that
it would interfere with server-level logging.
Any ideas? About EITHER issue? If anyone can help with logging, maybe I
can figure out what's happening in the Filter. If you have any
suggestions about the Filter, I'm al ears. HTTP POST should not be
prohibited unless I'm reading both the code and the CSRF specs incorrectly.
Thanks,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
