RE: Help with CsrfPreventionFilter

Mathew Samuel Fri, 08 Apr 2011 06:26:49 -0700

Hi Chris,

Thanks for your suggestion.


Yes the webapp works perfectly fine if I comment out the CSRFPreventionFilter.

Also tried with "<url-pattern>/*</url-pattern>" but it produced the same result 
in that what loads is basically a text-based page with no images, no 
functionality behind buttons.

So basically tried with this:

    <!-- Csrf prevention filter -->
    <filter>
        <filter-name>CSRFPreventionFilter</filter-name>
        
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
        <init-param>
          <param-name>entryPoints</param-name>
          <param-value>/do/Start</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>CSRFPreventionFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

i.e. used "/*" instead of "*" but still the same resulting webpage without my 
images etc.

Any other ideas that I can try?

Cheers,
Matt


-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, April 07, 2011 5:02 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff,

On 4/7/2011 12:08 PM, Mathew Samuel wrote:
>     <filter-mapping>
>         <filter-name>CSRFPreventionFilter</filter-name>
>         <url-pattern>*</url-pattern>
>     </filter-mapping>

The javadoc for that class says that the filter should be mapped to "/*"
not "*".

> Notice that as an entry point I have specified '/do/Start' which is 
> fine up to a point. Meaning that the Start page does load. Trouble is 
> that what loads is basically what looks like a text-based page. No 
> images, no functionality behind buttons. Just wondering if some one 
> has had success using this particular filter and could give me 
> pointers or perhaps an example on how I can properly use it.

Does the webapp work properly when the CsrfPreventionListener is not enabled? 
If so, I'll bet that invalid URL pattern is somehow involved.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2eJlIACgkQ9CaO5/Lv0PCGRgCfTTI5f8lIdMkAlh/Jp9NvNnn6
pfEAn2xMFcXmD9ANtTIGoNm0Kc2YHzsF
=Y2Jb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Help with CsrfPreventionFilter

Reply via email to