2011/8/8 Nadav Katz <nadav.k...@oracle.com>: \> > I have a filter in place for validating CSRF tokens. I only wish to validate > requests coming from the client, so no validation for dynamic includes or > forwards. My web.xml for the filter looks like this: > > <filter-mapping> > <filter-name>CSRFFilter</filter-name> > <url-pattern>*.jsp</url-pattern> > <servlet-name>SomeServlet</servlet-name> > </filter-mapping> > >(...) > > <jsp:include page="/SomeServlet" flush="true" > > <jsp:param name="action" value="9" /> > </jsp:include> >
What if you remove "<url-pattern>*.jsp</url-pattern>" line from the above filter-mapping? BTW, to strictly follow the specs, one has to run Tomcat with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -- see System Properties page in Configuration Reference. You can add the above line to catalina.properties. It should not change anything for this use case though. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
