-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathew,
On 4/13/2011 3:21 PM, Mathew Samuel wrote:
> There's an JSP example line given, with respect to using CSRF
> (Cross-site Request Forgery), that showed how one could access the
> CSRF nonce and include it with a URL:
>
> < c:url var="url" value="/show" > < c:param name="id" value="0" / > <
> c:param name="org.apache.catalina.filters.CSRF_NONCE"
> value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url
> >< a href="${show}">Show< /a >
>
> How may I access this session.org.apache.catalina.filters.CSRF_NONCE
> value from within a pure Java context? Would it be part of some sort
> of Java Session object from which one of the attributes would be
> org.apache.catalina.filters.CSRF_NONCE?
The session here is the HttpSession related to the currently-running
request. So, if you don't have a reference to the HttpSession object,
you are probably out of luck.
Once you have the session, the value bound to the key
"org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is
supposed to be :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8
18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7
=U93T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
