Hi Chris, You are correct, cookies need to be enabled for the webapp to work.
And yeah the XSLT processor is web-aware so that there is access to the servlet objects. I guess the link that I am missing then, with something that I'm doing or not doing, is that I'm not seeing access to "org.apache.catalina.filters.CSRF_NONCE". I'm guessing that I should see this as an attribute of the session. Cheers, Matt -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 13, 2011 4:15 PM To: Tomcat Users List Subject: Re: Help with CsrfPreventionFilter -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathew, On 4/12/2011 3:51 PM, Mathew Samuel wrote: > We don't make use of JSTL so I can't access it that way. > > We do use XSL that is run through a transform. And of course relevant > values are retrieved from the back end too. Depending on how to generate your URLs, you might already be using HttpServletResponse.encodeURL without realizing it. If your clients don't have cookies enabled, does your webapp still work? If so, you are likely to be using encodeURL in this way. > So, in the back-end, would I have to essentially subclass > org.apache.catalina.filters.CsrfPreventionFilter (since that would be > the only way I could invoke the protected method generateNonce) in > order to create the nonce? Or you could just use encodeURL instead of duplicating it's code. > Or am I over-complicating matters as there exists a simpler way > keeping in mind we don't use JSTL? JSTL is a red herring, so put it out of your mind. It's just an example of one technology that uses encodeURL properly -- as should any servlet-related code. Is your XSLT processor web-aware in any way? For instance, we use Apache Cocoon and have complete access (when necessary) to the servlet objects. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2mBDIACgkQ9CaO5/Lv0PBAnQCfWz/UtDqzldI0/MePJ+QLpEiQ vq4An1DAG0TcTfqAbPbEs/h9xgGDuA1l =L1UU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
