[Bug 65853] [CsrfPreventionFilter] Extract evaluation of skipNonceCheck into overridable method

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=65853

--- Comment #1 from Marvin Fröhlich  ---
Sorry, my suggested implementation was a little rushed. Here is a corrected
version.


protected boolean getSkipNonceCheck(HttpServletRequest request) {
if (!Constants.METHOD_GET.equals(request.getMethod()))
return false;

String reqPath = getRequestedPath(request);

if (!entryPoints.contains(reqPath))
return false;

if (log.isTraceEnabled())
log.trace("Skipping CSRF nonce-check for GET request to entry point " +
reqPath);

return true;
}


doFilter()

boolean skipNonceCheck = getSkipNonceCheck(req);


-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ppkarwasz opened a new pull request #469: Adds "jakarta.annotation" to filter

[GitBox]

ppkarwasz opened a new pull request #469:
URL: https://github.com/apache/tomcat/pull/469


   Some users from mistakenly add `jakarta.annotation-api` to their 
applications, which prevents Tomcat from finding `@Resource` and similar 
annotations on the servlets. See [this Stack Overflow 
question](https://stackoverflow.com/q/69249988/11748454) for example.
   
   To prevent this "jakarta.annotation" should also be always loaded from the 
common classloader.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] ppkarwasz opened a new pull request #470: Adds "javax.annotation" to filter

[GitBox]

ppkarwasz opened a new pull request #470:
URL: https://github.com/apache/tomcat/pull/470


   This is the `javax` version of #469.
   
   Some users mistakenly add `javax.annotation-api` to their applications, 
which prevents Tomcat from finding `@Resource` and similar annotations on Java 
9+.
   
   To prevent this "javax.annotation" should also be always loaded from the 
_common_ classloader.
   
   On Java 8 and earlier classes from `javax.annotation` where served from the 
_system_ classloader, so the change should be a no-op.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org