For my app I was *mostly* successful in securing it using Tomcat's CsrfPreventionFilter tool. I can land on my unsecured login.jsp page and get the app to still redirect based on login success.
My problem is regardless of login success I'm getting a 403 error; I may be implementing the token check incorrectly though. When I originally read up on how to implement CSRF in a traditional MVC app I was under the impression I had to provide the token in a hidden field in a POST form. My initial effort was aimed at providing that value from the session's CSRF_NONCE attribute but that kept on coming up null or of type lrucache. Other posts said all I had to do was pass my unaltered POST form action URL through HttpServletResponse.encodeRedirectURL() and the resulting CSRF_NONCE GET value would be automagically be handled by the filter (e.g. https://help.hana.ondemand.com/help/e5be9994bb571014b575a785961062db.html). Now I can produce CSRF_NONCE values all day long and be redirected to action page, but that page is producing a 403. I put a print statement in my action page, but my browser isn't getting that far, leading me to think I need to do something additional in my filter configuration. As an aside, I currently use a custom class that extends org.apache.catalina.filters.CsrfPreventionFilter so I can override doFilter() and filter out any checks to CSS or JS files. That works for excluding unsecured content but is that the right approach? Is that causing my main issue? My web.xml is currently as follows: <filter> <filter-name>CSRF</filter-name> <filter-class>filter.CustomCSRFFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/,/login.jsp,/JS/MIST.js</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRF</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Appreciative of any useful assistance... - Joe
