-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wilfred,
On 11/5/12 4:08 AM, Wilfred Duizers wrote: > When a user clicks a link in the webapplication running on Tomcat > instance 1 (portal) an application running on Tomcat instance 2 is > opened. Is it possible to send the nonce with the link? Because > it's running another instance..... > > Do you see a solution anyway....both tomcat instances use the same > domain https://www.example.com > > They use isapi I'm not sure ISAPI is relevant, here, but good to know. So, first of all -- have you tried it? The CSRFPreventionFilter stores its nonce cache (a Serializable object) in the session. If you are using clustered sessions, then it should Just Work. If you have other (as yet undisclosed) requirements, I'm guessing that Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs, though it should be trivial to subclass it and customize the parts that you need to work differently. If your improvements are decent, I would encourage you to contribute back to the community. If I had to do this, I would look at modifying the existing CSRFPreventionFilter such that its storage mechanism was pluggable, so you could specify a class that did something simple like: public LruCache<String> getNonceCache(HttpSession) public void setNonceCache(HttpSession,LruCache) If you wanted to make it a bit more high-throughput, you could make the methods more fine-grained so you didn't have to push-and-pull the whole cache each time. The code is more complicated, but potentially more flexible. Once that's done, just implement a global nonce cache using something like webcache or your favorite key-value store (where the key is something like session id + ".csrfCache"). Just remember to expire the nonce caches when the user's session dies or you will end up with a big, fat, messy database (and might even exhaust system resources if you are using an in-memory solution like webcache). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCYiw8ACgkQ9CaO5/Lv0PC4gwCdEIUNBxv5nLz9arlMA4v1JQlu LCMAn1mV0a87+D3D3e1TFsyk4bAO5zKP =FLeY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
