Hi Chris, Thanks for your patience. So I've got CSRF to "work" at least to a certain degree that it actually displays the page in it's entirety. But I literally had to explicitly state each css, js, gif that was going to be referenced as part of that page. So here is what that portion of the web.xml would look like:
<!-- Csrf prevention filter --> <filter> <filter-name>CSRFPreventionFilter</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/,/do/Start,/web/en_US/images/mail.gif,/web/en_US/images/logo.gif,/web/en_US/css/style.css,/web/en_US/css/general.css,/web/en_US/css/passwordrules.css,/web/en_US/css/commonpage.css,/web/en_US/css/datagrid.css,/web/en_US/css/home.css,/web/en_US/css/wmc.css,/web/en_US/javascript/common.js,/web/en_US/javascript/login.js,/web/en_US/javascript/branding.js,/web/en_US/javascript/wmc-validatormsg.js,/web/en_US/javascript/validatormsg.js,/web/en_US/javascript/webmail.js,/web/en_US/javascript/tw-sack.js,/web/en_US/javascript/folders.js,/web/en_US/javascript/datagrid.js,/web/en_US/javascript/commonpage.js,/web/en_US/javascript/behaviour.js,/web/en_US/javascript/validator.js</param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> Is this really the way it has to be for "entryPoints" points to work? Could there be a way of wildcarding? I would also have to then do this for every supported language if there is no wildcarding. Worse still we have a mechanism for dynamically importing languages which means we would still have to add more to this dynamically as well. Or am I doing something really wrong meaning that I'm taking something that is likely simple to use and over-complicating it? Cheers, Matt -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, April 08, 2011 3:23 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathew, On 4/8/2011 12:19 PM, Mathew Samuel wrote: > That was a good test suggestion, to compare the page source between > when CSRF is on and off. What surprised me is that the page source > between the two is identical. > > But still with the CSRF filter on I see this: > > And with that filter off I see this: (By now, you've seen that the list strips attachments. Feel free to use somehting like psatebin or your own website to host images and just post links). > Essentially it was showing a screenshot when the filter was on and > there were no images, no theme, nothing. And then the following one > with it off which had everything in place. But HTML source is > identical. Why not just copy/paste the actual page source into a message to the list? That would do just fine. You already said that the page was broken... there's no need for a screenshot to "show" that. Are you saying that the CsrfPreventionFilter isn't modifying your static content URLs /at all/? If that's the case, then you aren't running those URLs through HttpServletResponse.encodeURL before they go into the page. I'm very surprised that the HTML source is identical with the filter on versus off: the purpose of the filter is to /modify the page source/. > If I was fronting with Apache httpd would there be something > specifically that I would have to do? Possibly. I haven't looked at the filter's source code closely enough to determine this, but I know that ";jsessionid" often trips-up httpd when loading static data so this could be a similar situation. > I believe there might be some > setups where this may be the case. Although my current setup doesn't > have it. Well, then that's not the problem, then. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2fYKIACgkQ9CaO5/Lv0PDnKACeOXqDZnukTVyuyjj4JTB5CDXM L50AoLpvEimIgvFKAnYaXnvivcTNdwIz =vWHP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org