One thing I forgot to mention... In my servlet controller's auth method,
when a user's login is approved, the controller redirects the browser to
another page. I noticed looking in my browser's network tab the CSRF_NONCE
token in the request URL changes value between the auth method and the
eventua
For my app I was *mostly* successful in securing it using Tomcat's
CsrfPreventionFilter tool. I can land on my unsecured login.jsp page and
get the app to still redirect based on login success.
My problem is regardless of login success I'm getting a 403 error; I may be
implementing the token check