Re: CSRF and nonce Config ???
2013/2/7 Christopher Schultz : > Konstantin, > > On 2/7/13 5:19 AM, Konstantin Kolinko wrote: >> Any other web application that wants to use this feature has to >> configure this filter explicitly and must pass all important URLs >> through HttpServletResponse.encodeURL(). > > Web applications should always pass URLs through > HttpServletResponse.encodeURL (or > HttpServletResponse.encodeRedirectURL), whether they are important or > not ;) Generally yes, but static resources that do not require authentication and do not require session, such as images, work better without jsessionid. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CSRF and nonce Config ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 2/7/13 5:19 AM, Konstantin Kolinko wrote: > Any other web application that wants to use this feature has to > configure this filter explicitly and must pass all important URLs > through HttpServletResponse.encodeURL(). Web applications should always pass URLs through HttpServletResponse.encodeURL (or HttpServletResponse.encodeRedirectURL), whether they are important or not ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlETxLUACgkQ9CaO5/Lv0PBFEwCgtojPQrWpGVKV31/FoFTvi8ED YV0AoInnwL6wRvtoY4Q3cJyR7ndbxMoF =u1Rq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CSRF and nonce Config ???
2013/2/7 N.s.Karthik : > Hi > > Spec > jsk1.6 > SuseLinux Enterprise10 > Tomcat 6.0.30 > Apache http2.2 > > I have read thru the URL > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html > for 'CSRF' and nonce > > But have been confused > > Is this 'CSRF prevented from within Tomcat 7 by default or is it > configurable by using the 'nonce' or something 1. You are using Tomcat 6. Why are you looking at Tomcat 7 documentation? 2. CsrfPreventionFilter is a filter that is used in the Tomcat Manager web application to prevent CSRF attacks. Any other web application that wants to use this feature has to configure this filter explicitly and must pass all important URLs through HttpServletResponse.encodeURL(). See Manager webapp for an example. 3. If you are planning to use this filter on your old version of Tomcat, beware of CVE-2012-4431 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CSRF and nonce Config ???
Hi Spec jsk1.6 SuseLinux Enterprise10 Tomcat 6.0.30 Apache http2.2 I have read thru the URL http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html for 'CSRF' and nonce But have been confused Is this 'CSRF prevented from within Tomcat 7 by default or is it configurable by using the 'nonce' or something Please explain with regards Karthik -- View this message in context: http://tomcat.10.n6.nabble.com/CSRF-and-nonce-Config-tp4993918.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org