Hi, Thanks a lot for the quick response. I have already gone through the suggestions given on Wikipedia. I found that the suggestions provided over there are not feasible in our application's context. Therefore, I am looking for an alternate way of preventing this attack.
-Vijay >>> André Warnier<a...@ice-sa.com> 11/16/2012 3:31 PM >>> Vijaya Kumar wrote: > Hi, > I work on a web application that is vulnerable to CSRF(Cross Site Request > Forgery) attack. Tomcat 7 has a CSRF prevention filter. I went through the > description to configure this filter. > This filter expects that we call > HttpServletResponse#encodeRedirectURL(String) or > HttpServletResponse#encodeURL(String). > I see that in my application we don't use the above mentioned methods. Can > you please let me know whether there is any other way of using this filter > without making calls to encodeURL() or encodeRedirectURL()? > > To be precise, I am looking for a way to incorporate CSRF Filter in an > already existing application that doesn't use > HttpServletResponse#encodeRedirectURL(String) or > HttpServletResponse#encodeURL(String). > > Any help in this regard is appreciated. > Hi. I am a bit of a novice in this area, but as far as I understand what a CSRF attack is (http://en.wikipedia.org/wiki/Cross-site_request_forgery), and what this filter does, it seems to me at least that if your are not using HttpServletResponse#encodeRedirectURL(String) or HttpServletResponse#encodeURL(String) in your application, then this filter would be unnecessary, and would not help anyway. Why are you saying that your application is vulnerable to CSRF ? (Note that the same Wikipedia page seems to provide various tips to make your application less vulnerable to CSRF attacks in general). --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org