-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Akash,
On 3/24/14, 5:39 PM, Akash Jain wrote: > On Mon, Mar 24, 2014 at 1:37 PM, Konstantin Kolinko > <knst.koli...@gmail.com>wrote: > >> 2014-03-25 0:24 GMT+04:00 Akash Jain <akash.delh...@gmail.com>: >>> Yes, it uses LinkedHashMap internally which is not thread >>> safe. >>> >> http://tomcat.10.x6.nabble.com/CsrfPreventionFilter-LRU-cache-td2113069.html >>> >> >> >> A 3 years old thread? >> >> The rules here: http://tomcat.apache.org/lists.html#tomcat-users >> >> -> 1. your version = ? -> 6. don't top-post. >> > Version used is 7.0.52 ..its old thread but I want to know if > Tomcat's inbuilt CSRF filter is thread safe or not ? As there are > other CSRF protection mechanism like spring security's , so if > tomcat is good then we need not consider other options. Pardon me, but if you are using Spring for your web application, why not use Spring's CSRF prevention? That would make your web application more portable across containers. > The source code is available (both downloadable and online from > svn). >> All necessary syncs are there. >> >> >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?annotate=1148471&diff_format=l#l313 >> > >> So you are saying its thread safe as per the diff ? No! It's threadsafe as per the *code for LruCache*! Stop looking at tiny snapshots and look at the bigger picture. Ask yourself: why would Tomcat implement a CSRF prevention strategy that was not threadsafe? It would only work under the most gentle of conditions. If you suspect a bug, collect evidence that there is a bug and file one. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTMYliAAoJEBzwKT+lPKRYakEP+wRsKGZRI3XyN+NM4nkf/mmt 3snwN6CXkOzGtc2o3PyGLKFz9miwslDwxTEtmQu0ul8B7fmKZjGp5kegkpswW4+J xa4A/2mB8n379zBT1GXKDLmkBR0noMzHTgeXCH/H/sAREXiMvsZ1rHBJGxM8G5p/ 5akQ8iN/VxjOZyxaXCHvXY+TjnO2WGFAmbgCGwgTGWMEiMuQnFgl+4xnlihaeCKL IZkcCc/RXvKTWxlm8Wt5/ZJm9+PGaFsUOcjuGQVgyr96PjVOZApG9Drlo1WO5cVZ /6vhaP/83k+UknFRMDJPvkHKEYyWkWNAq2ykXV/zz0kKMrFmk9ivd78/Pkgg1FdO uWYedmaSoxr74jNjbPTTdV78tMpArc4Xq4Fml63ScpBSu6hngTXiIh/J+Bk4FQmn jLMrM4VTFLCHcMQ7vJ35vFOAC8OywOqX1B9H0YarCgai/gGxWyqiHcQcmebWn0lR E0D1v1WmdvZzkIBxWij0a/wd9RcZrkhj9E4QbfcFaHhNwAbJ8DQs6d+tJcbbiD78 +IZbSrdtEfxYP8jwXpFhEfF9PMasjsjWxYMwWNAAt0dkia1uQKL67aNSzj3z3CVU Pyp39Y2/4OuSP+1WCyUVIaOHhZzdqS1CnBVJkEWioPfJm+jgnADyVlK1KQ9nCXGu 7/M/UVUZ1lLbpiXtqram =Surt -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
