Hi Chris,
Thanks for your patience. So I've got CSRF to "work" at least to a certain
degree that it actually displays the page in it's entirety. But I literally had
to explicitly state each css, js, gif that was going to be referenced as part
of that page. So here is what that portion of the web.xml would look like:
<!-- Csrf prevention filter -->
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/,/do/Start,/web/en_US/images/mail.gif,/web/en_US/images/logo.gif,/web/en_US/css/style.css,/web/en_US/css/general.css,/web/en_US/css/passwordrules.css,/web/en_US/css/commonpage.css,/web/en_US/css/datagrid.css,/web/en_US/css/home.css,/web/en_US/css/wmc.css,/web/en_US/javascript/common.js,/web/en_US/javascript/login.js,/web/en_US/javascript/branding.js,/web/en_US/javascript/wmc-validatormsg.js,/web/en_US/javascript/validatormsg.js,/web/en_US/javascript/webmail.js,/web/en_US/javascript/tw-sack.js,/web/en_US/javascript/folders.js,/web/en_US/javascript/datagrid.js,/web/en_US/javascript/commonpage.js,/web/en_US/javascript/behaviour.js,/web/en_US/javascript/validator.js</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Is this really the way it has to be for "entryPoints" points to work? Could
there be a way of wildcarding? I would also have to then do this for every
supported language if there is no wildcarding. Worse still we have a mechanism
for dynamically importing languages which means we would still have to add more
to this dynamically as well.
Or am I doing something really wrong meaning that I'm taking something that is
likely simple to use and over-complicating it?
Cheers,
Matt
-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, April 08, 2011 3:23 PM
To: Tomcat Users List
Subject: Re: Help with CsrfPreventionFilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/8/2011 12:19 PM, Mathew Samuel wrote:
> That was a good test suggestion, to compare the page source between
> when CSRF is on and off. What surprised me is that the page source
> between the two is identical.
>
> But still with the CSRF filter on I see this:
>
> And with that filter off I see this:
(By now, you've seen that the list strips attachments. Feel free to use
somehting like psatebin or your own website to host images and just post links).
> Essentially it was showing a screenshot when the filter was on and
> there were no images, no theme, nothing. And then the following one
> with it off which had everything in place. But HTML source is
> identical.
Why not just copy/paste the actual page source into a message to the list? That
would do just fine. You already said that the page was broken... there's no
need for a screenshot to "show" that.
Are you saying that the CsrfPreventionFilter isn't modifying your static
content URLs /at all/? If that's the case, then you aren't running those URLs
through HttpServletResponse.encodeURL before they go into the page.
I'm very surprised that the HTML source is identical with the filter on versus
off: the purpose of the filter is to /modify the page source/.
> If I was fronting with Apache httpd would there be something
> specifically that I would have to do?
Possibly. I haven't looked at the filter's source code closely enough to
determine this, but I know that ";jsessionid" often trips-up httpd when loading
static data so this could be a similar situation.
> I believe there might be some
> setups where this may be the case. Although my current setup doesn't
> have it.
Well, then that's not the problem, then.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2fYKIACgkQ9CaO5/Lv0PDnKACeOXqDZnukTVyuyjj4JTB5CDXM
L50AoLpvEimIgvFKAnYaXnvivcTNdwIz
=vWHP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
