[Owasp-csrfguard] The meaning of NewTokenLandingPage

Anders Båtstrand anderius+csrfguard at gmail.com
Fri Jul 15 06:04:07 EDT 2011


On 14 July 2011 19:27, Patrick Radtke <pradtke at stanford.edu> wrote:

>  > If I read the source code correct, the NewTokenLandingPage is written
> > to the response if session.isNew(), even if you visit an unprotected
> > page.
> I thought the CsrfGuardFilter would only get invoked if the page matched
> the URLs you defined as protected in the web.xml
>
> <filter-mapping>
> <filter-name>CSRFGuard</filter-name>
> <url-pattern>/manage/mf/*</url-pattern>
> </filter-mapping>
>
> I am sorry I was not clear on my setup. To apply the principle of
white-listing, I apply the filter on all pages (except static resources),
and define all my exceptions (entry-points) in the properties file for
CSRFGuard (as uprotected pages).

I see that I could solve my problem by not applying the filter to pages I do
not want to be protected, but in my case the URLs are accessed from other
applications (so I can not change them), and I do not want to introduce a
URL rewrite filter only for this.

Regards,

Anders Båtstrand

2011/7/15 Anders Båtstrand <anderius at gmail.com>

>
>
> On 14 July 2011 19:27, Patrick Radtke <pradtke at stanford.edu> wrote:
>
>>  > If I read the source code correct, the NewTokenLandingPage is written
>> > to the response if session.isNew(), even if you visit an unprotected
>> > page.
>> I thought the CsrfGuardFilter would only get invoked if the page matched
>> the URLs you defined as protected in the web.xml
>>
>> <filter-mapping>
>> <filter-name>CSRFGuard</filter-name>
>> <url-pattern>/manage/mf/*</url-pattern>
>> </filter-mapping>
>>
>> I am sorry I was not clear on my setup. To apply the principle of
> white-listing, I apply the filter on all pages (except static resources),
> and define all my exceptions (entry-points) in the properties file for
> CSRFGuard (as uprotected pages).
>
> I see that I could solve my problem by not applying the filter to pages I
> do not want to be protected, but in my case the URLs are accessed from other
> applications (so I can not change them), and I do not want to introduce a
> URL rewrite filter only for this.
>
> Regards,
>
> Anders Båtstrand
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20110715/510b34b1/attachment.html 


More information about the Owasp-csrfguard mailing list