On 04/11/2011 13:14, Pete Gould wrote: > Hi, > > I have recently been using > the org.apache.catalina.filters.CsrfPreventionFilter, and I notice that the > documentation for setNonceCacheSize states: > > "Sets the number of previously issued nonces that will be cached on a > LRU basis to support parallel requests..." > > However, looking at the implementation of the cache, it appears to be a > FIFO implementation rather than a LRU cache. I'm happy to raise a bug and > supply a patch for whichever is the desired implementation, but need to > determine what the original intention is first - based on the Javadoc it > would suggest that the intention is for the cache to be LRU, could anyone > here confirm that?
I wrote the initial implementation of the CsrfPreventionFilter and I honestly can't remember whether I actually intended to implement FIFO or LRU. It isn't beyond the realm of possibility that I started with one and changed my mind. That said, looking at the svn history for that file there aren't any obvious suggestions of a change of mind. > Either cache implementation will work for the majority of cases, however I > came across this issue when issuing Ajax requests which repeatedly use the > same nonce string and after 5 requests the value I'm using is ejected from > the (FIFO) cache, changing the cache to LRU fixes this (although could > potentially result in the same token being used for N requests). I think the thing to do here is to work out what the 'best' solution is and fix the docs/code accordingly. I think LRU is the way to go in which case the current code needs fixing. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
