Hi, I can see stuff such as: ServletContext -> org.apache.catalina.jsp_classpath HttpServletRequest -> org.apache.catalina.ASYNC_SUPPORTED
But still no org.apache.catalina.filters.CSRF_NONCE. The HttpSession object did not have it, actually it did not seem to have any attributes. Is there Tomcat logging I can set to see if this org.apache.catalina.filters.CSRF_NONCE is even being set? I set everything I could in tomcat/conf/logging.properties to log ALL but I still see no evidence that this org.apache.catalina.filters.CSRF_NONCE is being set. Or is there a specific Facility I should be logging for to see that being set? Also I assume the CSRF filter must be on in web.xml which I have done (hopefully correctly). I would just like to see this org.apache.catalina.filters.CSRF_NONCE being set some where in a log file or any where to give me a bit of optimism. Cheers, Matt -----Original Message----- From: Mathew Samuel [mailto:mathew.sam...@entrust.com] Sent: Thursday, April 14, 2011 9:58 AM To: 'Tomcat Users List' Subject: RE: Trying to find session.org.apache.catalina.filters.CSRF_NONCE Hi Chris, So I do in fact have a reference to the HttpSession related to the currently-running request. However I do a "getAttributeNames()" to it but the Enumeration I get back is empty (i.e. non-null but empty so that a "hasMoreElements()" call to the HttpSession object says "false"). The "org.apache.catalina.filters.CSRF_NONCE" key should be an attribute correct? Although it is quite likely that I'm doing something wrong as I wouldn't figure that the Enumeration returned by "getAttributeNames()" would be empty although a "getId()" call to the HttpSession object is at least returning something so I know there is an actual HttpSession object present anyways. So yeah should "org.apache.catalina.filters.CSRF_NONCE" be listed as on of the attributes I would get back if a "getAttributeNames()" call had been made to the HttpSession object? Cheers, Matt -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 13, 2011 4:24 PM To: Tomcat Users List Subject: Re: Trying to find session.org.apache.catalina.filters.CSRF_NONCE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathew, On 4/13/2011 3:21 PM, Mathew Samuel wrote: > There's an JSP example line given, with respect to using CSRF > (Cross-site Request Forgery), that showed how one could access the > CSRF nonce and include it with a URL: > > < c:url var="url" value="/show" > < c:param name="id" value="0" / > < > c:param name="org.apache.catalina.filters.CSRF_NONCE" > value="${session.org.apache.catalina.filters.CSRF_NONCE}" / >< /c:url > >< a href="${show}">Show< /a > > > How may I access this session.org.apache.catalina.filters.CSRF_NONCE > value from within a pure Java context? Would it be part of some sort > of Java Session object from which one of the attributes would be > org.apache.catalina.filters.CSRF_NONCE? The session here is the HttpSession related to the currently-running request. So, if you don't have a reference to the HttpSession object, you are probably out of luck. Once you have the session, the value bound to the key "org.apache.catalina.filters.CSRF_NONCE" will be ... whatever that is supposed to be :) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2mBlgACgkQ9CaO5/Lv0PC2EACgv/RVMluFGtvkmWeSDBlgrkz8 18IAn1yJ+x8BtFHMJTIc7WIgRO59e1Y7 =U93T -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
