RE: Help with CsrfPreventionFilter

2011-04-14 Thread Mathew Samuel
to org.apache.catalina.filters.CSRF_NONCE. I'm guessing that I should see this as an attribute of the session. Cheers, Matt -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 13, 2011 4:15 PM To: Tomcat Users List Subject: Re: Help

Re: Help with CsrfPreventionFilter

2011-04-13 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/12/2011 3:51 PM, Mathew Samuel wrote: We don't make use of JSTL so I can't access it that way. We do use XSL that is run through a transform. And of course relevant values are retrieved from the back end too. Depending on how to

RE: Help with CsrfPreventionFilter

2011-04-12 Thread Mathew Samuel
-Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Sunday, April 10, 2011 6:22 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter 2011/4/11 Mathew Samuel mathew.sam...@entrust.com: Hi Konstantin, I will try to avoid mapping the filter

RE: Help with CsrfPreventionFilter

2011-04-10 Thread Mathew Samuel
that is already called as a result of using the CsrfPreventionFilter? Cheers, Matt -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Friday, April 08, 2011 4:53 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter 2011/4/8 Mathew Samuel

Re: Help with CsrfPreventionFilter

2011-04-10 Thread Konstantin Kolinko
2011/4/11 Mathew Samuel mathew.sam...@entrust.com: Hi Konstantin, I will try to avoid mapping the filter to those paths as you have suggested as yes that is another approach I can try. You had mentioned that the filter works by providing its own implementation of encodeURL(). Is this a

RE: Help with CsrfPreventionFilter

2011-04-08 Thread Mathew Samuel
, Matt -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, April 07, 2011 5:02 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, On 4/7/2011 12:08 PM, Mathew Samuel

Re: Help with CsrfPreventionFilter

2011-04-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 9:26 AM, Mathew Samuel wrote: Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter. Good. Also tried with url-pattern/*/url-pattern but it produced the same result in that what loads is basically a

RE: Help with CsrfPreventionFilter

2011-04-08 Thread Mathew Samuel
, April 08, 2011 10:42 AM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 9:26 AM, Mathew Samuel wrote: Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter. Good. Also tried with url

RE: Help with CsrfPreventionFilter

2011-04-08 Thread Mathew Samuel
: Mathew Samuel [mailto:mathew.sam...@entrust.com] Sent: Friday, April 08, 2011 12:20 PM To: 'Tomcat Users List' Subject: RE: Help with CsrfPreventionFilter Hi Chris, That was a good test suggestion, to compare the page source between when CSRF is on and off. What surprised me is that the page source

Re: Help with CsrfPreventionFilter

2011-04-08 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathew, On 4/8/2011 12:19 PM, Mathew Samuel wrote: That was a good test suggestion, to compare the page source between when CSRF is on and off. What surprised me is that the page source between the two is identical. But still with the CSRF

RE: Help with CsrfPreventionFilter

2011-04-08 Thread Mathew Samuel
really wrong meaning that I'm taking something that is likely simple to use and over-complicating it? Cheers, Matt -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, April 08, 2011 3:23 PM To: Tomcat Users List Subject: Re: Help

Re: Help with CsrfPreventionFilter

2011-04-08 Thread André Warnier
Mathew Samuel wrote: Well so much for my last post with images. Essentially it was showing a screenshot when the filter was on and there were no images, no theme, nothing. And then the following one with it off which had everything in place. But HTML source is identical. Thanks for posting

Re: Help with CsrfPreventionFilter

2011-04-08 Thread Konstantin Kolinko
2011/4/8 Mathew Samuel mathew.sam...@entrust.com: Hi Chris, Thanks for your patience. So I've got CSRF to work at least to a certain degree that it actually displays the page in it's entirety. But I literally had to explicitly state each css, js, gif that was going to be referenced as

Help with CsrfPreventionFilter

2011-04-07 Thread Mathew Samuel
Hi, I'm trying to make use of the CsrfPreventionFilter using 7.0.12 so this is what I have added to the relevant web.xml !-- Csrf prevention filter -- filter filter-nameCSRFPreventionFilter/filter-name

Re: Help with CsrfPreventionFilter

2011-04-07 Thread Konstantin Kolinko
2011/4/7 Mathew Samuel mathew.sam...@entrust.com: Just wondering if some one has had success using this particular filter and could give me pointers or perhaps an example on how I can properly use it. The manager and host-manager webapps bundled with Tomcat are using this filter. Best

Re: Help with CsrfPreventionFilter

2011-04-07 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, On 4/7/2011 12:08 PM, Mathew Samuel wrote: filter-mapping filter-nameCSRFPreventionFilter/filter-name url-pattern*/url-pattern /filter-mapping The javadoc for that class says that the filter should be mapped to /*