Re: Configure CSRFPreventionFilter in 6.0.35

[Rainer Jung]

On 23.07.2012 12:00, Nikhil Dhankani wrote:
Hi,
I am trying to configure CSRFPreventionFilter with the below code in my
web.xml.

<filter>
     <filter-name>CSRF</filter-name>

  <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
</filter>

<filter-mapping>
     <filter-name>CSRF</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

But tomcat fails to start with below error,

Jul 22, 2012 11:57:17 PM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet CXFServlet threw exception
java.lang.IllegalArgumentException: setAttribute: Non-serializable
attribute org.apache.catalina.filters.CSRF_NONCE
at
org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1351)
  at
org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:647)
at
org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:631)
  at
org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130)
at
org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173)
  at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
  at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
  at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
  at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877)
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594)
  at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675)
at java.lang.Thread.run(Unknown Source)

Can anybody please help as to what am I missing or what am I doing wrong?

It seems you are doing clustering?

The cluster needs to be able to serialize sessions in order to replicate 
them over the network. The message indicates, that the sesison attribute 
org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not 
serializable.

You might

- open an issue in the Tomcat bugzilla in order to get that fixed or 
documented (cluster compatibility of the filter)

- disable replication for that special attribute. This might limit your 
ability to actual fail over in the cluster, but maybe you would need to 
attribute in the session only for special use cases.

To disable replication of the attribute 
"org.apache.catalina.filters.CSRF_NONCE":

Since 7.0.22 and 6.0.34 you can configure, which session attributes you
want to distribute via a regular expression matched against the
attribute names. By default all attributes are replicated (and thus must
be serializable).

See "sessionAttributeFilter" in

http://tomcat.apache.org/tomcat-7.0-doc/config/cluster-manager.html#Common_Attributes

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org