Hi Konstantin, I will try to avoid mapping the filter to those paths as you have suggested as yes that is another approach I can try.
You had mentioned that the filter works by providing its own implementation of encodeURL(). Is this a function I have to explicitly call or is it something that is already called as a result of using the CsrfPreventionFilter? Cheers, Matt -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Friday, April 08, 2011 4:53 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter 2011/4/8 Mathew Samuel <mathew.sam...@entrust.com>: > Hi Chris, > > Thanks for your patience. So I've got CSRF to "work" at least to a certain > degree that it actually displays the page in it's entirety. But I literally > had to explicitly state each css, js, gif that was going to be referenced as > part of that page. So here is what that portion of the web.xml would look > like: The filter works by providing its own implementation of encodeURL() calls that add nonce to the URL. You wouldn't want to call encodeURL() for images css etc. because it will result in them having a lot of different URLs (because of session ID) and thus unnecessary extra copies of those files in caches. > Is this really the way it has to be for "entryPoints" points to work? Could > there be a way of wildcarding? I thought it is there, but actually as of now, there is no support for wildcards. It might be worth as an enhancement. Some other filters/valves in TC7 do accept a single regexp and perform matching against it. Maybe you can avoid mapping the filter to those paths? Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
