(tomcat) branch main updated: Add warnings and details about webapp classes
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 681eb77dd3 Add warnings and details about webapp classes 681eb77dd3 is described below commit 681eb77dd39dd4df0d48c53ebd352d04f6ce1d59 Author: remm AuthorDate: Thu Dec 21 11:45:10 2023 +0100 Add warnings and details about webapp classes They need to be packaged as well, and they also might be needed during compilation. --- modules/stuffed/webapp-jspc.ant.xml | 20 +--- webapps/docs/graal.xml | 12 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/modules/stuffed/webapp-jspc.ant.xml b/modules/stuffed/webapp-jspc.ant.xml index 07a51841be..cffafcf7d8 100644 --- a/modules/stuffed/webapp-jspc.ant.xml +++ b/modules/stuffed/webapp-jspc.ant.xml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - + @@ -31,13 +31,27 @@ + - + + + + + + + + + +JARs from /WEB-INF/lib need to be made available to Maven as dependencies. +Classes from /WEB-INF/classes will be packaged to the shaded JAR, but they will not be available during compilation. If needed during that step, they need to be packaged as JARs and made available to Maven as dependencies. + + - + + diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 3701078150..d86b48a1b2 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -78,6 +78,18 @@ folder. + +All the webapp classes need to be made available to the Maven shade plugin +as well as the compiler during the JSP precompilation step. +Any JARs that are present in /WEB-INF/lib +need to be made available as Maven dependencies. +The webapp-jspc.ant.xml script will copy classes from the +/WEB-INF/classes folder of the webapp +to the target/classes path that Maven uses as the compilation +target, but if any of the JSP sources use them, then they need to be +packaged as JARs instead. + + The first step is to build the shaded Tomcat JAR with all dependencies. Any JSP in the webapp must all be precompiled and packaged (assuming - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Add warnings and details about webapp classes
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new cab798421d Add warnings and details about webapp classes cab798421d is described below commit cab798421d4da779d61b7806518c0a2a8986e90d Author: remm AuthorDate: Thu Dec 21 11:45:10 2023 +0100 Add warnings and details about webapp classes They need to be packaged as well, and they also might be needed during compilation. --- modules/stuffed/webapp-jspc.ant.xml | 20 +--- webapps/docs/graal.xml | 12 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/modules/stuffed/webapp-jspc.ant.xml b/modules/stuffed/webapp-jspc.ant.xml index 07a51841be..cffafcf7d8 100644 --- a/modules/stuffed/webapp-jspc.ant.xml +++ b/modules/stuffed/webapp-jspc.ant.xml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - + @@ -31,13 +31,27 @@ + - + + + + + + + + + +JARs from /WEB-INF/lib need to be made available to Maven as dependencies. +Classes from /WEB-INF/classes will be packaged to the shaded JAR, but they will not be available during compilation. If needed during that step, they need to be packaged as JARs and made available to Maven as dependencies. + + - + + diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 9c05759a84..55ed6edb7b 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -78,6 +78,18 @@ folder. + +All the webapp classes need to be made available to the Maven shade plugin +as well as the compiler during the JSP precompilation step. +Any JARs that are present in /WEB-INF/lib +need to be made available as Maven dependencies. +The webapp-jspc.ant.xml script will copy classes from the +/WEB-INF/classes folder of the webapp +to the target/classes path that Maven uses as the compilation +target, but if any of the JSP sources use them, then they need to be +packaged as JARs instead. + + The first step is to build the shaded Tomcat JAR with all dependencies. Any JSP in the webapp must all be precompiled and packaged (assuming - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Add warnings and details about webapp classes
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new e9a7b3c6d1 Add warnings and details about webapp classes e9a7b3c6d1 is described below commit e9a7b3c6d1e576efec11c5ce75c3cb6f00151354 Author: remm AuthorDate: Thu Dec 21 11:45:10 2023 +0100 Add warnings and details about webapp classes They need to be packaged as well, and they also might be needed during compilation. --- webapps/docs/graal.xml | 12 1 file changed, 12 insertions(+) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index e2a631a513..95a793e36b 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -78,6 +78,18 @@ folder. + +All the webapp classes need to be made available to the Maven shade plugin +as well as the compiler during the JSP precompilation step. +Any JARs that are present in /WEB-INF/lib +need to be made available as Maven dependencies. +The webapp-jspc.ant.xml script will copy classes from the +/WEB-INF/classes folder of the webapp +to the target/classes path that Maven uses as the compilation +target, but if any of the JSP sources use them, then they need to be +packaged as JARs instead. + + The first step is to build the shaded Tomcat JAR with all dependencies. Any JSP in the webapp must all be precompiled and packaged (assuming - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Remove trailing space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new 3a788920d6 Remove trailing space 3a788920d6 is described below commit 3a788920d63a8e246249a7116191322168168fe5 Author: remm AuthorDate: Thu Dec 21 11:59:46 2023 +0100 Remove trailing space --- webapps/docs/graal.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 55ed6edb7b..9e39ac767e 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -87,7 +87,7 @@ /WEB-INF/classes folder of the webapp to the target/classes path that Maven uses as the compilation target, but if any of the JSP sources use them, then they need to be -packaged as JARs instead. +packaged as JARs instead. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Remove trailing space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 11fb662af9 Remove trailing space 11fb662af9 is described below commit 11fb662af9f8e26290be5c881b5a6837157894e7 Author: remm AuthorDate: Thu Dec 21 11:59:46 2023 +0100 Remove trailing space --- webapps/docs/graal.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index d86b48a1b2..077324c27f 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -87,7 +87,7 @@ /WEB-INF/classes folder of the webapp to the target/classes path that Maven uses as the compilation target, but if any of the JSP sources use them, then they need to be -packaged as JARs instead. +packaged as JARs instead. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 9.0.x updated: Remove trailing space
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 387357b0b6 Remove trailing space 387357b0b6 is described below commit 387357b0b6cd04e6f94758b25d8ebb754687bdf5 Author: remm AuthorDate: Thu Dec 21 11:59:46 2023 +0100 Remove trailing space --- webapps/docs/graal.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/graal.xml b/webapps/docs/graal.xml index 95a793e36b..217d53a531 100644 --- a/webapps/docs/graal.xml +++ b/webapps/docs/graal.xml @@ -87,7 +87,7 @@ /WEB-INF/classes folder of the webapp to the target/classes path that Maven uses as the compilation target, but if any of the JSP sources use them, then they need to be -packaged as JARs instead. +packaged as JARs instead. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434510673
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
String requestedPath = getRequestedPath(request);
-if (!entryPoints.contains(requestedPath)) {
-return false;
+if (entryPoints.contains(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+}
+
+return true;
}
-if (log.isTraceEnabled()) {
-log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+if (null != noNoncePredicates && !noNoncePredicates.isEmpty()) {
+for (Predicate p : noNoncePredicates) {
+if (p.test(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request
to no-nonce path " + requestedPath);
Review Comment:
> No `messages.properties`?
This class does not currently use localized exception messages. I'm happy to
do that work in a separate PR. I'm trying not to re-write every line of the
source file, and I'm trying to keep things consistent.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1434511388 ## webapps/docs/config/filter.xml: ## @@ -319,6 +326,34 @@ of java.security.SecureRandom will be used. + +A list of URL patterns that will not have CSRF nonces added +to them. You may not want to add nonces to certain URLs to avoid +creating unique URLs which may defeat resource caching, etc. + +There are 3 types of patterns supported: Review Comment: 3 == three Though there are actually 4 (four?), now, so that needs a fix. Is there a documented preference for spelled-out numerals in Tomcat documentation? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434512783
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -198,15 +416,27 @@ protected boolean skipNonceCheck(HttpServletRequest
request) {
String requestedPath = getRequestedPath(request);
-if (!entryPoints.contains(requestedPath)) {
-return false;
+if (entryPoints.contains(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+}
+
+return true;
}
-if (log.isTraceEnabled()) {
-log.trace("Skipping CSRF nonce-check for GET request to entry
point " + requestedPath);
+if (null != noNoncePredicates && !noNoncePredicates.isEmpty()) {
+for (Predicate p : noNoncePredicates) {
+if (p.test(requestedPath)) {
+if (log.isTraceEnabled()) {
+log.trace("Skipping CSRF nonce-check for GET request
to no-nonce path " + requestedPath);
Review Comment:
Agreed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1434513367 ## webapps/docs/config/filter.xml: ## @@ -319,6 +326,34 @@ of java.security.SecureRandom will be used. + +A list of URL patterns that will not have CSRF nonces added +to them. You may not want to add nonces to certain URLs to avoid +creating unique URLs which may defeat resource caching, etc. + +There are 3 types of patterns supported: Review Comment: Most style guides will likely tell your to which number should be written up. APA, Chicago, etc. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1434514917 ## webapps/docs/config/filter.xml: ## @@ -291,6 +291,13 @@ request. The default value is 403. + +A flag to enable or disable enforcement. When enforcement is +disabled, the CsrfPreventionFilter will allow all requests and +log CSRF failures as DEBUG messages. The default is true, +enabling the enforcement of CSRF protections. + Review Comment: Removing the filter from `web.xml` will not produce log messages for CSRF failures, nor will it add CSRF tokens to URLs produced by the application. Running in an non-enforcement mode is helpful to collect real-world information about your application without breaking it. Please see https://lists.apache.org/thread/47syblyghh3tromyf6bkvl8q14w70f3x for the initial conversation, where I make the case for a non-enforcement mode. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1434518590 ## webapps/docs/config/filter.xml: ## @@ -291,6 +291,13 @@ request. The default value is 403. + +A flag to enable or disable enforcement. When enforcement is +disabled, the CsrfPreventionFilter will allow all requests and +log CSRF failures as DEBUG messages. The default is true, +enabling the enforcement of CSRF protections. + Review Comment: I see, agreed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
ChristopherSchultz commented on code in PR #681: URL: https://github.com/apache/tomcat/pull/681#discussion_r1434521612 ## webapps/docs/config/filter.xml: ## @@ -319,6 +326,34 @@ of java.security.SecureRandom will be used. + +A list of URL patterns that will not have CSRF nonces added +to them. You may not want to add nonces to certain URLs to avoid +creating unique URLs which may defeat resource caching, etc. + +There are 3 types of patterns supported: Review Comment: 2ab2317d581fb6657fe02529d5ad55af00161726 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
michael-o commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1434524088
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
Review Comment:
Same here
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
Review Comment:
Singular or plural? Above is singular
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
+return null;
+}
+
+String values[] = patterns.split(",");
+
+ArrayList> matchers = new ArrayList<>(values.length);
+for (String value : values) {
+Predicate p = createNoNoncePredicate(context,
value.trim());
+
+if (null != p) {
+matchers.add(p);
+}
+}
+
+matchers.trimToSize();
+
+return matchers;
+}
+
+/**
+ * Creates a predicate that can match the specified type of pattern.
+ *
+ * @param pattern The pattern to match e.g. *.foo or
+ */bar/*.
+ *
+ * @return A Predicate which can match the specified pattern, or
+ * >null if the pattern is null or blank.
+ */
+protected static Predicate createNoNoncePredicate(ServletContext
context, String pattern) {
+if (null == pattern || 0 == pattern.trim().length()) {
+return null;
+}
+if (pattern.startsWith("mime:")) {
+return new MimePredicate(context, createNoNoncePredicate(context,
pattern.substring(5)));
+} else if (pattern.startsWith("*")) {
+re
