2013/2/7 N.s.Karthik <nskarthi...@gmail.com>: > Hi > > Spec > jsk1.6 > SuseLinux Enterprise10 > Tomcat 6.0.30 > Apache http2.2 > > I have read thru the URL > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html > for 'CSRF' and nonce > > But have been confused > > Is this 'CSRF prevented from within Tomcat 7 by default or is it > configurable by using the 'nonce' or something
1. You are using Tomcat 6. Why are you looking at Tomcat 7 documentation? 2. CsrfPreventionFilter is a filter that is used in the Tomcat Manager web application to prevent CSRF attacks. Any other web application that wants to use this feature has to configure this filter explicitly and must pass all important URLs through HttpServletResponse.encodeURL(). See Manager webapp for an example. 3. If you are planning to use this filter on your old version of Tomcat, beware of CVE-2012-4431 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
