Re: CSRF on multiple tomcat instances
On 06/11/2012 03:59, Christopher Schultz wrote: Wilfred, On 11/5/12 4:08 AM, Wilfred Duizers wrote: When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance. Do you see a solution anywayboth tomcat instances use the same domain https://www.example.com They use isapi I'm not sure ISAPI is relevant, here, but good to know. So, first of all -- have you tried it? The CSRFPreventionFilter stores its nonce cache (a Serializable object) in the session. If you are using clustered sessions, then it should Just Work. If they are not the same apps it won't. The alternative is to write a similar component that works as a Valve, which has access to the Session (not the same as the HttpSession) and see if you can use the same mechanism as the SSOValve uses, storing the nonce in a 'note'. I *think* that might work, but I'm guessing a bit there... p If you have other (as yet undisclosed) requirements, I'm guessing that Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs, though it should be trivial to subclass it and customize the parts that you need to work differently. If your improvements are decent, I would encourage you to contribute back to the community. If I had to do this, I would look at modifying the existing CSRFPreventionFilter such that its storage mechanism was pluggable, so you could specify a class that did something simple like: public LruCacheString getNonceCache(HttpSession) public void setNonceCache(HttpSession,LruCache) If you wanted to make it a bit more high-throughput, you could make the methods more fine-grained so you didn't have to push-and-pull the whole cache each time. The code is more complicated, but potentially more flexible. Once that's done, just implement a global nonce cache using something like webcache or your favorite key-value store (where the key is something like session id + .csrfCache). Just remember to expire the nonce caches when the user's session dies or you will end up with a big, fat, messy database (and might even exhaust system resources if you are using an in-memory solution like webcache). -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: CSRF on multiple tomcat instances
On 2 Nov 2012, at 14:23, Wilfred Duizers wilfred.duiz...@indicia.nl wrote: Hello, I am running 2 Tomcat instances on 1 server. So far nothing special :-) Both: Apache Tomcat/7.0.25 JVM 1.6.0_20-b02 When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance... Would defeat the point if you sent all of the info in the same request, no? p Kind regards, Wilfred - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: CSRF on multiple tomcat instances
yes it would :P Do you see a solution anywayboth tomcat instances use the same domain https://www.example.com They use isapi Van: Pid * [p...@pidster.com] Verzonden: maandag 5 november 2012 9:30 Aan: Tomcat Users List Onderwerp: Re: CSRF on multiple tomcat instances On 2 Nov 2012, at 14:23, Wilfred Duizers wilfred.duiz...@indicia.nl wrote: Hello, I am running 2 Tomcat instances on 1 server. So far nothing special :-) Both: Apache Tomcat/7.0.25 JVM 1.6.0_20-b02 When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance... Would defeat the point if you sent all of the info in the same request, no? p Kind regards, Wilfred - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CSRF on multiple tomcat instances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wilfred, On 11/5/12 4:08 AM, Wilfred Duizers wrote: When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance. Do you see a solution anywayboth tomcat instances use the same domain https://www.example.com They use isapi I'm not sure ISAPI is relevant, here, but good to know. So, first of all -- have you tried it? The CSRFPreventionFilter stores its nonce cache (a Serializable object) in the session. If you are using clustered sessions, then it should Just Work. If you have other (as yet undisclosed) requirements, I'm guessing that Tomcat's built-in CSRFPreventionFilter isn't going to meet your needs, though it should be trivial to subclass it and customize the parts that you need to work differently. If your improvements are decent, I would encourage you to contribute back to the community. If I had to do this, I would look at modifying the existing CSRFPreventionFilter such that its storage mechanism was pluggable, so you could specify a class that did something simple like: public LruCacheString getNonceCache(HttpSession) public void setNonceCache(HttpSession,LruCache) If you wanted to make it a bit more high-throughput, you could make the methods more fine-grained so you didn't have to push-and-pull the whole cache each time. The code is more complicated, but potentially more flexible. Once that's done, just implement a global nonce cache using something like webcache or your favorite key-value store (where the key is something like session id + .csrfCache). Just remember to expire the nonce caches when the user's session dies or you will end up with a big, fat, messy database (and might even exhaust system resources if you are using an in-memory solution like webcache). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCYiw8ACgkQ9CaO5/Lv0PC4gwCdEIUNBxv5nLz9arlMA4v1JQlu LCMAn1mV0a87+D3D3e1TFsyk4bAO5zKP =FLeY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CSRF on multiple tomcat instances
Hello, I am running 2 Tomcat instances on 1 server. So far nothing special :-) Both: Apache Tomcat/7.0.25 JVM 1.6.0_20-b02 When a user clicks a link in the webapplication running on Tomcat instance 1 (portal) an application running on Tomcat instance 2 is opened. Is it possible to send the nonce with the link? Because it's running another instance. Kind regards, Wilfred
