[Owasp-csrfguard] The meaning of NewTokenLandingPage

Patrick Radtke pradtke at stanford.edu
Thu Jul 14 13:27:54 EDT 2011


On 7/14/11 3:44 AM, Anders Båtstrand wrote:
> Hi
>
> I am trying to use CSRFGuard in an application, but I am having some 
> troubles. First, let me start with a question about NewTokenLandingPage.
>
> If I read the source code correct, the NewTokenLandingPage is written 
> to the response if session.isNew(), even if you visit an unprotected 
> page.
I thought the CsrfGuardFilter would only get invoked if the page matched 
the URLs you defined as protected in the web.xml

<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>/manage/mf/*</url-pattern>
</filter-mapping>

>
> I do not see the purpose of this, as the page does not require a 
> token. Is there someone that would like to elaborate on the meaning of 
> the NewTokenLandingPage?
I have never used it.
>
>
> PS: Is there any plans for migrating the project to Maven, and using 
> automatic testing? I would be very happy to help in that matter.
I would also be happy to help with such an effort.

-Patrick


More information about the Owasp-csrfguard mailing list