Anyone?
On 14/01/13 17:24, Watts, Timothy wrote:
Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server is permitted (and is
not an XSS attack)?
We have a tomcat server T running a tomcat webapp that uses
On 18/01/2013 11:07, Tim Watts wrote:
Anyone?
Tomcat doesn't give two hoots about the origin header. It does care
about the Host header.
It is hard to tell exactly what is going wrong from your post but you
may need one or more of the following:
On 18/01/13 11:27, André Warnier wrote:
I don't know if this really helps or improves things, but the standard way of
handling the
Location in redirects is via the ProxyPassReverse directive (which is probably
more
efficient here - and more easily understood - than the Header-edit).
The
On 18/01/13 11:45, Mark Thomas wrote:
On 18/01/2013 11:07, Tim Watts wrote:
Anyone?
Hi Mark,
Tomcat doesn't give two hoots about the origin header.
Curious - I wonder how me editing it helped? Unless it caused some
knockon somewhere.
It does care
about the Host header.
That would
On 18/01/2013 12:01, Tim Watts wrote:
On 18/01/13 11:45, Mark Thomas wrote:
On 18/01/2013 11:07, Tim Watts wrote:
Anyone?
Hi Mark,
Tomcat doesn't give two hoots about the origin header.
Curious - I wonder how me editing it helped? Unless it caused some
knockon somewhere.
Tomcat
Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server is permitted (and is
not an XSS attack)?
We have a tomcat server T running a tomcat webapp that uses
j_security_check to auth users
(Excuse me - I am not the