Re: Configure CSRFPreventionFilter in 6.0.35
On 23.07.2012 12:00, Nikhil Dhankani wrote: Hi, I am trying to configure CSRFPreventionFilter with the below code in my web.xml. filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class /filter filter-mapping filter-nameCSRF/filter-name url-pattern/*/url-pattern /filter-mapping But tomcat fails to start with below error, Jul 22, 2012 11:57:17 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet CXFServlet threw exception java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute org.apache.catalina.filters.CSRF_NONCE at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1351) at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:647) at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:631) at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:130) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675) at java.lang.Thread.run(Unknown Source) Can anybody please help as to what am I missing or what am I doing wrong? It seems you are doing clustering? The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) - disable replication for that special attribute. This might limit your ability to actual fail over in the cluster, but maybe you would need to attribute in the session only for special use cases. To disable replication of the attribute org.apache.catalina.filters.CSRF_NONCE: Since 7.0.22 and 6.0.34 you can configure, which session attributes you want to distribute via a regular expression matched against the attribute names. By default all attributes are replicated (and thus must be serializable). See sessionAttributeFilter in http://tomcat.apache.org/tomcat-7.0-doc/config/cluster-manager.html#Common_Attributes Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
On 23/07/2012 11:10, Rainer Jung wrote: The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) This is already fixed in 7.0.x and trunk. I have proposed the same fix for 6.0.x. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
Yes my environment is a clustered one. Thanks Rainer for the quick response, this was really helpful. On Mon, Jul 23, 2012 at 3:40 PM, Rainer Jung rainer.j...@kippdata.dewrote: It seems you are doing clustering? The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.**CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) - disable replication for that special attribute. This might limit your ability to actual fail over in the cluster, but maybe you would need to attribute in the session only for special use cases. To disable replication of the attribute org.apache.catalina.filters.** CSRF_NONCE: Since 7.0.22 and 6.0.34 you can configure, which session attributes you want to distribute via a regular expression matched against the attribute names. By default all attributes are replicated (and thus must be serializable). See sessionAttributeFilter in http://tomcat.apache.org/**tomcat-7.0-doc/config/cluster-** manager.html#Common_Attributeshttp://tomcat.apache.org/tomcat-7.0-doc/config/cluster-manager.html#Common_Attributes Regards, Rainer --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
On 23.07.2012 13:38, Mark Thomas wrote: On 23/07/2012 11:10, Rainer Jung wrote: The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) This is already fixed in 7.0.x and trunk. I have proposed the same fix for 6.0.x. Tnanks and sorry Mark, hadn't looked that up and somehow forgot about it. Thought it would be a good opportunity for propaganda for the session attribute replication filter ;) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure CSRFPreventionFilter in 6.0.35
Rainer Jung rainer.j...@kippdata.de wrote: On 23.07.2012 13:38, Mark Thomas wrote: On 23/07/2012 11:10, Rainer Jung wrote: The cluster needs to be able to serialize sessions in order to replicate them over the network. The message indicates, that the sesison attribute org.apache.catalina.filters.CSRF_NONCE used by the CSRF filter is not serializable. You might - open an issue in the Tomcat bugzilla in order to get that fixed or documented (cluster compatibility of the filter) This is already fixed in 7.0.x and trunk. I have proposed the same fix for 6.0.x. Tnanks and sorry Mark, hadn't looked that up and somehow forgot about it. Thought it would be a good opportunity for propaganda for the session attribute replication filter ;) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No need to apologise. The filter is a useful one and it is good to increase awareness. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
