Hello, I'm trying to use CsrfPreventionFilter with a POST form in a JSP page and my understanding of its use is I need to use a hidden value field with the value I've set to ${session['org.apache.catalina.filters.CSRF_NONCE']}. Right now when I load the page the value is simply blank. As far as I know the configuration is correct and my app restarts with no obvious issues. My <appname>/WEB-INF/web.xml is as follows:
<filter> <filter-name>CSRF</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/MIST,/MIST/,/MIST/login.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRF</filter-name> <servlet-name>MISTmanager</servlet-name> </filter-mapping> <servlet> <servlet-name>MISTmanager</servlet-name> <servlet-class>servlets.MISTmanager</servlet-class> </servlet> And my field is as follows: <input type="hidden" name="org.apache.catalina.filters.CSRF_NONCE" value="${session['org.apache.catalina.filters.CSRF_NONCE']}" /> Is that the right way to get the value for CSRF_NONCE? If not, am I close? Useful ideas appreciated! - Joe