Hi Chris, It does not appear like I have access to HttpServletResponse. Damn. So if I did have access to that then I could just call response.encodeURL and everything would seriously just auto-magically work?
Any other way, or Object, I can use in its place? I like your idea Chris of generating a new nonce and adding it to the cache. Trouble is that generateNonce() procedure from org.apache.catalina.filters.CsrfPreventionFilter is protected so I can't use that. Well, unless I subclass it of course. Is that what you were thinking? Cheers, Matt -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, April 15, 2011 3:49 PM To: Tomcat Users List Subject: Re: Found org.apache.catalina.filters.CSRF_NONCE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathew, On 4/15/2011 3:42 PM, Mathew Samuel wrote: > However the exception I received back was the following: > java.lang.ClassCastException: > org.apache.catalina.filters.CsrfPreventionFilter$LruCache cannot be > cast to java.lang.String > > Ok, now I know that the org.apache.catalina.filters.CSRF_NONCE is not > a String but something else. In the API description for > org.apache.catalina.filters.CsrfPreventionFilter.LruCache<T> there is > only two methods: add and contains. Neither of which would help me > access the value of this CSRF_NONCE. Right: it's supposed to store nonces and let you look them up. There is a psuedo-current nonce for the request -- the one stored in the response wrapper object created by the CsrfPreventionFilter. > And maybe I'm going about this all wrong, and how this works, but what > I was thinking about doing was to grab what I had presumed to be a > value from the Attribute org.apache.catalina.filters.CSRF_NONCE and > ensure that value gets propagated so that when the XSLT does it's > transformation it will be there included with the link (we don't use > JSP). Do you have access to the response object (HttpServletResponse) itself? It would be far easier to call response.encodeURL and everything will work. > I am going about this correctly right? If so is there a value from > org.apache.catalina.filters.CSRF_NONCE that I should be able to > extract? Like the actual nonce value? Nope: it looks like it's an opaque store where the caller needs to know a priori what nonce will be used. If you are really desperate, you could just generate a new nonce and add it to the cache ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2ooTUACgkQ9CaO5/Lv0PBR+ACgohJQSP3FuIdObaRnVVZGD3kw 8VsAn0QdusmJGkAk6wwkWSU9/EL1eLL5 =JKIa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
