https://bz.apache.org/bugzilla/show_bug.cgi?id=65853
--- Comment #10 from Marvin Fröhlich <apa...@froehlich-mail.net> ---
You're right. It's easy to miss a detail in the wood of these extension
suggestions. And in our current implementation we even use a base method like
this
####################
protected boolean getSkipNonceGeneration(@SuppressWarnings( "unused" )
HttpServletRequest request) {
return false;
}
####################
to decide, whether to create and handle a nonce depending on the request.
Our overriding implementation checks, if the current request goes to a page,
that we consider an entry point, which must not be part of the nonce chain,
well, at least nothing other than the (new) start.
In the doFilter() method this oule look as follows.
#########################
if (!getSkipNonceGeneration(req)) {
String newNonce = generateNonce();
nonceCache.add(newNonce);
// Take this request's nonce and put it into the request
// attributes so pages can make direct use of it, rather than
// requiring the use of response.encodeURL.
request.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, newNonce);
//System.out.println( "new nonce: " + newNonce );
wResponse = new CsrfResponseWrapper(res, nonceRequestParameterName,
newNonce);
} else {
wResponse = response;
}
#########################
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
