I am trying to add CSRF protection to the
java web application. I have the web.xml configured with the CSRF filter and filter mappings to the
servlets. However, I am not sure how to do this next part. the documentation says all URLs returned to the client are encoded via a call to HttpServletResponse#encodeRedirectURL(
String) or HttpServletResponse#encodeURL(String) They also say you can try: Or one can pass back the nonce as a request parameter with name org.apache.catalina.filters.CSRF_NONCE, which is the value of the constant org.apache.catalina.filters.Constants.CSRF_NONCE_REQUEST_PARAM.
Here is web.xml setup:
In the
JSP page I have HTML where I am passing the CSRF_NONCE as a form parameter in the request. This CSRF_NONCE is cache value that the Filter uses to compare
<FORM METHOD="POST" ACTION="/exampleservlet">
<INPUT TYPE="HIDDEN" NAME="org.apache.catalina.filters.CSRF_NONCE" VALUE="<%=session.getAttribute("org.apache.catalina.filters.CSRF_NONCE")%>">
<INPUT TYPE="HIDDEN" NAME="id" VALUE="0">
I am stuck getting a 403 forbidden though. Not sure what I am doing wrong.
Thanks