5

This is my filer config in web.xml

<filter>
    <filter-name>CSRFPreventionFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
        <param-name>entryPoints</param-name>
        <param-value>/login<param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CSRFPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter>

Am I missing something? Are any code-changes necessary to enable csrf protection in tomcat

VMAtm
  • 27,943
  • 17
  • 79
  • 125
sps
  • 362
  • 4
  • 8

1 Answers1

6

Note that a 403 is the CSRFPreventionFilter response if a nonce is not provided and the filter expects one.

I don't know the current state of CSRFPreventionFilter, but according to this thread you need to specify each entryPoint resource individually (no wildcards) - or have the filter apply to a path that does not include /login

So: 

<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
    <param-name>entryPoints</param-name>
    <param-value>/login/login.html,/login/image.png,/login/style.css</param-value>
</init-param>
</filter>

Or: 

<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/csrf/*</url-pattern>
</filter-mapping>

Update Dec 2012:

Tomcat 7.0.32 fixes a security vulnerability in CSRFPreventionFilter

James Donnelly
  • 126,410
  • 34
  • 208
  • 218
pd40
  • 3,187
  • 3
  • 20
  • 29
  • Thanks for the explantion. So my question now is do I need to change anything in my jsps to send the nonce, or will tomcat take care of that. Because as I understand, the getRedirectUrl method is over-written by this filer, so any links in my code will get handled automatically. But what about the forms in my pages? – sps Nov 02 '12 at 04:57
  • I haven't actually tried it - but I would expect the form action would need encodeUrl(). – pd40 Nov 02 '12 at 10:04
  • 1
    Thanks.. I guess I will have to also send hidden parameter in case of form posts – sps Nov 07 '12 at 06:10
  • Has there been any updates to this filter? I am currently running into the same issue but have over 300 jsp's, each with multiple links. I would love it if someone has come up with something to avoid having to wrap each link with 'urlEncode' – Dan Nov 06 '14 at 23:28
  • @james Donnelly, param-value only for skipping resource for entry point I'm facing also same issue. Do you have any solution for that I tried in same way but always getting access denied 403 page. Ref: https://help.hana.ondemand.com/help/e5be9994bb571014b575a785961062db.html – Piyush Gupta Sep 20 '17 at 10:44