I am working on a tomcat application. I am trying to add CSRF authentication token provided by catlina library(org.apache.catalina.filters.CsrfPrevention). I have added filter to web.xml
<filter>
<filter-name>CsrfFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/Login</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CsrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Also I have updated the login.jsp
<% String url = '/Login?x=true';
String encodeUrl = response.encode(url);
%>
<form action="<%=urlEncode%" action="Post">
<input type="text" name="username"/>
<input type="password" name="password"/>
<button type="submit">Login</button>
</form>
Now when I am running server login page is rendering. When I am entering username and password browser is sending Post request to Login servlet with CSRF_NONCE http://localhost:9090/Login?x=true&org.apache.catalina.filters.CSRF_NONCE=7DE88A93A526E465566864684FEB01C9. Its having CSRF_NONCE but still response is having status 403. I have read many document but could not found any solution to authenticate post requet.
I also reaad that i need to encode all the urls but could not found how should I need to do. Do I need to write filter for that?
Finally I got the answer. I am posting it here for others.
For rendering the JSP I was using the RequestDispatcher object
dispatcher.forward(request, response);
So the filter was not getting applied to the given url. Finally I found the answer. Either I should have used dispatcher in parameter with the filter or response.sendRedirect method in Servlet handler.
http://www.theserverside.com/news/thread.tss?thread_id=34168