After upgrading Tomcat from 8.0.24 to 8.0.30, one of our applications (Internet2's Grouper) "broke" with CSRF errors. Research turned up the following in the Tomcat8 Changelog:
"Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs." However, Grouper already incorporates CSRF protection using OWASP CSRFGuard <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>. It appears that the new Tomcat RestCSRF feature interacts with OWASP CSRFGuard poorly. The new Tomcat RestCSRF is apparently enabled by default since I did not to anything to specifically enable it. How do I disable it? I didn't see any information on how to do this in the documentation at <https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs>. Since the app already provides CSRF protection that is carefully configured it with which URLs need protection, etc., it seems redundant for the container to do it. And actually, since it has now apparently broken the app, I would like to turn it off Tomcat's version. -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
