ChristopherSchultz merged PR #681:
URL: https://github.com/apache/tomcat/pull/681
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1875476100
> > Re 4: I think that if one is wise enough to write a RegExp, they could
use "|" to combine several patterns, and do not really need splitting by comma.
>
> I suppose if yo
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437906912
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private St
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437905241
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437903976
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonc
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437901624
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437900565
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437899157
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437898144
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437898048
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437897171
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1437896682
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response,
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1436107052
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.n
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435945699
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonc
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435945537
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435943790
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonc
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435943366
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonc
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434524088
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.n
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434521612
##
webapps/docs/config/filter.xml:
##
@@ -319,6 +326,34 @@
of java.security.SecureRandom will be used.
+
+A list of URL pattern
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434518590
##
webapps/docs/config/filter.xml:
##
@@ -291,6 +291,13 @@
request. The default value is 403.
+
+A flag to enable or disable enforcement
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434514917
##
webapps/docs/config/filter.xml:
##
@@ -291,6 +291,13 @@
request. The default value is 403.
+
+A flag to enable or disable en
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434513367
##
webapps/docs/config/filter.xml:
##
@@ -319,6 +326,34 @@
of java.security.SecureRandom will be used.
+
+A list of URL patterns that wi
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434512783
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
String
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434511388
##
webapps/docs/config/filter.xml:
##
@@ -319,6 +326,34 @@
of java.security.SecureRandom will be used.
+
+A list of URL pattern
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434510673
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1433225531
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
String
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864951885
> Re 4: I think that if one is wise enough to write a RegExp, they could use
"|" to combine several patterns, and do not really need splitting by comma. Or
do you envision a use c
kkolinko commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864889547
Re 8: Whatever is easier.
(Maybe it will be easier to extract some logic into an utility class and
test that utility class. My concern is just that the logic is not trivial, is
complicat
kkolinko commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864873921
Re 4: I think that if one is wise enough to write a RegExp, they could use
"|" to combine several patterns, and do not really need splitting by comma. Or
do you envision a use case, where d
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864828084
> 1. There are case-insensitive file systems out there... I wonder whether
those default extensions should be treated case-insensitively. (If one is
serving a web site from an USB
kkolinko commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1864808958
1. There are case-insensitive file systems out there... I wonder whether
those default extensions should be treated case-insensitively. (If one is
serving a web site from an USB stick or a
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432909931
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432880460
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432856054
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432853641
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1432402971
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
markt-asf commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431736198
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431641166
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431639832
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431618064
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431615348
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431612056
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1431610887
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430461949
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430459964
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
markt-asf commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430459910
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430457497
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private St
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430451465
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1430450663
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1428761992
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -53,6 +58,25 @@ public class CsrfPreventionFilter extends
CsrfPreventionFilterBase {
private
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1858319793
Commit
[e2f78ec](https://github.com/apache/tomcat/pull/681/commits/e2f78eca0c7626303e5e50f1f033770b466f1755)
adds nonce-check skipping to the URLs that won't get nonces added to t
ChristopherSchultz commented on PR #681:
URL: https://github.com/apache/tomcat/pull/681#issuecomment-1858296301
My initial testing indicates that caching is working as expected with these
changes.
--
This is an automated message from the Apache Git Service.
To respond to the message, plea
ChristopherSchultz opened a new pull request, #681:
URL: https://github.com/apache/tomcat/pull/681
Please see https://lists.apache.org/thread/47syblyghh3tromyf6bkvl8q14w70f3x
for the initial conversation.
I see some potential improvements for the CSRF prevention filter that will
be w
53 matches
Mail list logo