Thank you for your answer, it hadn't occurred to me to try removing the jsp mapping. Unfortunately it doesn't work...I removed it, and behavior stays the same. I tried setting the STRICT_SERVLET_COMPLIANCE=true (hoping the strict request wrapping rules would help), but no go. This problem is a real headache for me, since with no solution I will need to redesign everything or break all our dynamic includes which I definitely can't do. Thanks anyway! Nadav
-----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Monday, August 08, 2011 8:59 AM To: Tomcat Users List Subject: Re: Tomcat not conforming to Servlet spec 2.4+ in regards to jsp:include 2011/8/8 Nadav Katz <nadav.k...@oracle.com>: \> > I have a filter in place for validating CSRF tokens. I only wish to validate > requests coming from the client, so no validation for dynamic includes or > forwards. My web.xml for the filter looks like this: > > <filter-mapping> > <filter-name>CSRFFilter</filter-name> > <url-pattern>*.jsp</url-pattern> > <servlet-name>SomeServlet</servlet-name> > </filter-mapping> > >(...) > > <jsp:include page="/SomeServlet" flush="true" > > <jsp:param name="action" value="9" /> > </jsp:include> > What if you remove "<url-pattern>*.jsp</url-pattern>" line from the above filter-mapping? BTW, to strictly follow the specs, one has to run Tomcat with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true -- see System Properties page in Configuration Reference. You can add the above line to catalina.properties. It should not change anything for this use case though. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org