Hello, I have a filter in place for validating CSRF tokens. I only wish to validate requests coming from the client, so no validation for dynamic includes or forwards. My web.xml for the filter looks like this:
<filter-mapping> <filter-name>CSRFFilter</filter-name> <url-pattern>*.jsp</url-pattern> <servlet-name>SomeServlet</servlet-name> </filter-mapping> Servlet spec 2.4+ states under RequestDispatcher: "The request is being processed under a request dispatcher representing the Web component matching the or using an include() call. This is indicated by a element with value INCLUDE." In other words, my filter shouldn't be invoked for jsp:include calls to SomeServlet since they are handled by the RequestDispatcher, and I have no explicit mapping for<dispatcher>INCLUDE</dispatcher>... But somehow it is... My filter intercepts all calls, including "jsp:include"... This is the (one of the...) problematic calls: <jsp:include page="/SomeServlet" flush="true" > <jsp:param name="action" value="9" /> </jsp:include> Can anyone shed any light on this? I tried bypassing the problem by adding a "filtered" param to the request and checking it later (since the original request is supposed to be forwarded), but to no avail. It seems Tomcat is creating a new request object. Any ideas anyone? Is it a configuration issue? A bug in Tomcat? Am I a complete moron?? Thanks for any help, Dave
