Cris,
On 12/11/23 12:48, Berneburg, Cris J. - US wrote:
Hi Chris
Any ideas? About EITHER issue?
Ping. Any ideas?
Yeah, and hopefully you won't gag too much. :-P
[SNIP]
My application is using log4j2, but that library is only used by the application
and the JAR file is in WEB-INF/lib/. I wouldn't expect that it would interfere
with server-level logging. [...] If anyone can help with logging, maybe I can
figure out what's happening in the Filter.
Forget using the logging mechanism for now. Many folks have trouble
setting it up anyway. Go "bone knives and bear skins" and just use
System.out.println (or S.err.p). You are running in the console,
right?
Fair enough.
HTTP POST should not be prohibited unless I'm reading both the
code and the CSRF specs incorrectly.
Pretend that it does. How would you solve that?
You have to manually add the CSRF token in each <form> in a hidden FORM
parameter. It's doable, but it sucks to have to do that across your
whole application.
[SNIP]
Application B has a feature where we present a web form to the user.
It's fairly simple (paraphrasing):
<form method="POST" action="/application_a/save_comment">
<textarea name="comment"></textarea>
</form>
What happens if you cheat? Can you use a redirect from B to A
instead, or will that violate the filter rules?
That would be even more complicated. I'm looking for "simple" :)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
