Thanks Martin, how can I tell for example if the IPageClassRequestHandler or ListenerInterfaceRequestHandler is for a form?
On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org> wrote: > Hi, > > I don't use any of these so I have no much experience in production with > them! > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com> > wrote: > > > Hi, > > > > I've been trying to use CsrfPreventionRequestCycleListener in > production. > > However we are seeing in the logs that about 30 times a day we get the > > request aborted because the clients browsers are not sending the referrer > > header sometimes. Doing some research it seems we cannot rely on the > > clients browser to send the referrer and it could be somewhat buggy in > > older browsers. > > > > Does anyone else experience this trouble? > > > > Are there any alternatives? > > > > I did try: > > > > getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory > > ()); > > > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(), > > this)); > > > > However this encrypts everything (resources, urls, etc). Is there a way > of > > just encrypting say forms and links or something? > > > > You can override CryptoMapper#mapHandler() and call super.mapHandler() only > when the IRequestHandler is not an instance of IPageClassRequestHandler or > only when it is ListenerInterfaceRequestHandler. > > > > > > Anyone got a solution that works for them in production? > > > > many thanks > > >