Hi Chris > Any ideas? About EITHER issue? > Ping. Any ideas?
Yeah, and hopefully you won't gag too much. :-P [SNIP] > My application is using log4j2, but that library is only used by the > application > and the JAR file is in WEB-INF/lib/. I wouldn't expect that it would interfere > with server-level logging. [...] If anyone can help with logging, maybe I can > figure out what's happening in the Filter. Forget using the logging mechanism for now. Many folks have trouble setting it up anyway. Go "bone knives and bear skins" and just use System.out.println (or S.err.p). You are running in the console, right? > HTTP POST should not be prohibited unless I'm reading both the code and the > CSRF specs incorrectly. Pretend that it does. How would you solve that? [SNIP] > Application B has a feature where we present a web form to the user. > It's fairly simple (paraphrasing): > > <form method="POST" action="/application_a/save_comment"> > <textarea name="comment"></textarea> > </form> What happens if you cheat? Can you use a redirect from B to A instead, or will that violate the filter rules? > You'd think a Tomcat committer could figure out how to make logging work. FWIW, by the time I respond to a plea for help, you know you're scraping the bottom of the barrel. ;-) My experience with CsrfPreventionFilter was limited to one small app with a simple setup a few years back. Sorry I don't have anything better for you. P.S.: I still owe you a beer. -- Cris Berneburg CACI Senior Software Engineer Tomcat Newbie ________________________________ This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
