This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:CSRF Guard"
From OWASP
Line 45: | Line 45: | ||
in your JSP (welcome.jsp) that causes this error? | in your JSP (welcome.jsp) that causes this error? | ||
--[[User:Jeff Williams|Jeff Williams]] 17:22, 20 April 2007 (EDT) | --[[User:Jeff Williams|Jeff Williams]] 17:22, 20 April 2007 (EDT) | ||
+ | |||
+ | In welcome.jsp: | ||
+ | |||
+ | It does the following: | ||
+ | |||
+ | <jsp:forward page="/foo.jsp" /> | ||
+ | |||
+ | and this line translates to the following java code by the weblogic jsp compiler: | ||
+ | |||
+ | if (true) { //forwarding request //[ /welcome.jsp; Line: 289] | ||
+ | ''' out.clear(); // clear current output buffer //[ /welcome.jsp; Line: 289] | ||
+ | ''' | ||
+ | String __thePage = //[ /welcome.jsp; Line: 289] | ||
+ | //[ /foo.jsp; Line: 289] | ||
+ | "/foo.jsp"; //[ /welcome.jsp; Line: 289] | ||
+ | pageContext.forward(__thePage); //[ /welcome.jsp; Line: 289] | ||
+ | return; //[ /welcome.jsp; Line: 289] | ||
+ | } //[ /welcome.jsp; Line: 289] | ||
+ | |||
+ | |||
+ | So the exception was thrown from the line highlighted above |
Revision as of 21:50, 20 April 2007
Should this be in the Countermeasure category and listed on https://www.owasp.org/index.php/Category:Countermeasure?
Absolutely - fixed
Having hard time to get it working with Weblogic 8.1
I tried it out. For some reason, I always get this following statck trace. Could you please help?
java.lang.IllegalStateException: response already committed at weblogic.servlet.jsp.JspWriterImpl.clear(JspWriterImpl.java:85) at jsp_servlet.__welcome._jspService(__welcome.java:2310) at weblogic.servlet.jsp.JspBase.service(JspBase.java:33) at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run (ServletStubImpl.java:996) at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm pl.java:419) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja va:27) at org.owasp.csrf.CSRFGuard.doChain(CSRFGuard.java:96) at org.owasp.csrf.CSRFGuard.doFilter(CSRFGuard.java:71) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja va:27) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio n.run(WebAppServletContext.java:6458) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate dSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java: 118) at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe rvletContext.java:3661) at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm pl.java:2630) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
This exception occurs when your application tries to write to a response that has already been committed. In this case, we use a MutableHttpRequest, which should capture all these writes and allow us to change them later in the filter. However, there may be a few methods - like addHeader perhaps - that aren't handled in the MutableHttpRequest. This is just a guess. Can you share what's happening in your JSP (welcome.jsp) that causes this error? --Jeff Williams 17:22, 20 April 2007 (EDT)
In welcome.jsp:
It does the following:
<jsp:forward page="/foo.jsp" />
and this line translates to the following java code by the weblogic jsp compiler:
if (true) { //forwarding request //[ /welcome.jsp; Line: 289]
out.clear(); // clear current output buffer //[ /welcome.jsp; Line: 289]
String __thePage = //[ /welcome.jsp; Line: 289] //[ /foo.jsp; Line: 289] "/foo.jsp"; //[ /welcome.jsp; Line: 289] pageContext.forward(__thePage); //[ /welcome.jsp; Line: 289] return; //[ /welcome.jsp; Line: 289] } //[ /welcome.jsp; Line: 289]
So the exception was thrown from the line highlighted above