One thing I forgot to mention... In my servlet controller's auth method, when a user's login is approved, the controller redirects the browser to another page. I noticed looking in my browser's network tab the CSRF_NONCE token in the request URL changes value between the auth method and the eventual destination. Is this normal? I also recall reading Tomcat is supposed to cache the last five tokens for a given current session - the change in token values shouldn't affect usage, correct?
On Fri, Sep 2, 2016 at 10:14 AM Joe Tseng <jts...@secure-innovations.net> wrote: > For my app I was *mostly* successful in securing it using Tomcat's > CsrfPreventionFilter tool. I can land on my unsecured login.jsp page and > get the app to still redirect based on login success. > > My problem is regardless of login success I'm getting a 403 error; I may > be implementing the token check incorrectly though. When I originally read > up on how to implement CSRF in a traditional MVC app I was under the > impression I had to provide the token in a hidden field in a POST form. My > initial effort was aimed at providing that value from the session's > CSRF_NONCE attribute but that kept on coming up null or of type lrucache. > > Other posts said all I had to do was pass my unaltered POST form action > URL through HttpServletResponse.encodeRedirectURL() and the resulting > CSRF_NONCE GET value would be automagically be handled by the filter (e.g. > https://help.hana.ondemand.com/help/e5be9994bb571014b575a785961062db.html). > Now I can produce CSRF_NONCE values all day long and be redirected to > action page, but that page is producing a 403. I put a print statement in > my action page, but my browser isn't getting that far, leading me to think > I need to do something additional in my filter configuration. > > As an aside, I currently use a custom class that extends > org.apache.catalina.filters.CsrfPreventionFilter so I can override > doFilter() and filter out any checks to CSS or JS files. That works for > excluding unsecured content but is that the right approach? Is that causing > my main issue? > > My web.xml is currently as follows: > > <filter> > <filter-name>CSRF</filter-name> > <filter-class>filter.CustomCSRFFilter</filter-class> > <init-param> > <param-name>entryPoints</param-name> > <param-value>/,/login.jsp,/JS/MIST.js</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>CSRF</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > Appreciative of any useful assistance... > > - Joe > >
