On 11/12/2015 21:10, Baron Fujimoto wrote: > After upgrading Tomcat from 8.0.24 to 8.0.30, one of our applications > (Internet2's Grouper) "broke" with CSRF errors. Research turned up the > following in the Tomcat8 Changelog: > > "Add a new RestCsrfPreventionFilter that provides basic CSRF protection > for REST APIs."
Apart from the fact that that entry includes "CSRF" and it is your CSRF protection that is broken, what evidence to you have that the two are related? > However, Grouper already incorporates CSRF protection using OWASP CSRFGuard > <https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project>. > > It appears that the new Tomcat RestCSRF feature interacts with OWASP > CSRFGuard poorly. The new Tomcat RestCSRF is apparently enabled by default > since I did not to anything to specifically enable it. What are you basing this assertion on? Evidence to back up the claim that Tomcat's RestCSRF protection is enabled by default is required. > How do I disable it? The same way you disable any Servlet Filter. > I didn't see any information on how to do this in the documentation at > <https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs>. The Tomcat docs assume that users of Tomcat are familiar with the Servlet specification and therefore don't need to be told the details of how to enable/disable Filters, Servlets etc. > Since the app already provides CSRF protection that is carefully > configured it with which URLs need protection, etc., it seems redundant > for the container to do it. And actually, since it has now apparently > broken the app, I would like to turn it off Tomcat's version. Again, where is the evidence that Tomcat RestCSRF filter is responsible for the behaviour you are seeing? Hint: The root cause is not what you think it is. You need to do a little more research. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
