This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:CSRF Guard"

From OWASP
Jump to: navigation, search
Line 45: Line 45:
 
  in your JSP (welcome.jsp) that causes this error?
 
  in your JSP (welcome.jsp) that causes this error?
 
  --[[User:Jeff Williams|Jeff Williams]] 17:22, 20 April 2007 (EDT)
 
  --[[User:Jeff Williams|Jeff Williams]] 17:22, 20 April 2007 (EDT)
 +
 +
In welcome.jsp:
 +
 +
It does the following:
 +
 +
<jsp:forward page="/foo.jsp" />
 +
 +
and this line translates to the following java code by the weblogic jsp compiler:
 +
 +
          if (true) { //forwarding request //[ /welcome.jsp; Line: 289]
 +
'''            out.clear(); // clear current output buffer //[ /welcome.jsp; Line: 289]
 +
'''
 +
            String __thePage =  //[ /welcome.jsp; Line: 289]
 +
            //[ /foo.jsp; Line: 289]
 +
            "/foo.jsp"; //[ /welcome.jsp; Line: 289]
 +
            pageContext.forward(__thePage); //[ /welcome.jsp; Line: 289]
 +
            return; //[ /welcome.jsp; Line: 289]
 +
          } //[ /welcome.jsp; Line: 289]
 +
 +
 +
So the exception was thrown from the line highlighted above

Revision as of 21:50, 20 April 2007

Should this be in the Countermeasure category and listed on https://www.owasp.org/index.php/Category:Countermeasure?

Absolutely - fixed

Having hard time to get it working with Weblogic 8.1

I tried it out. For some reason, I always get this following statck trace. Could you please help?

java.lang.IllegalStateException: response already committed
        at weblogic.servlet.jsp.JspWriterImpl.clear(JspWriterImpl.java:85)
        at jsp_servlet.__welcome._jspService(__welcome.java:2310)
        at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
        at weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run
(ServletStubImpl.java:996)
        at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
pl.java:419)
        at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:27)
        at org.owasp.csrf.CSRFGuard.doChain(CSRFGuard.java:96)
        at org.owasp.csrf.CSRFGuard.doFilter(CSRFGuard.java:71)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
va:27)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
n.run(WebAppServletContext.java:6458)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
dSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
118)
        at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
rvletContext.java:3661)
        at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
pl.java:2630)
        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)


This exception occurs when your application tries to write to a response that
has already been committed. In this case, we use a MutableHttpRequest, which
should capture all these writes and allow us to change them later in the filter.
However, there may be a few methods - like addHeader perhaps - that aren't handled
in the MutableHttpRequest. This is just a guess.  Can you share what's happening
in your JSP (welcome.jsp) that causes this error?
--Jeff Williams 17:22, 20 April 2007 (EDT)

In welcome.jsp:

It does the following:

<jsp:forward page="/foo.jsp" />

and this line translates to the following java code by the weblogic jsp compiler:

         if (true) { //forwarding request //[ /welcome.jsp; Line: 289]

out.clear(); // clear current output buffer //[ /welcome.jsp; Line: 289]

           String __thePage =  //[ /welcome.jsp; Line: 289]
           //[ /foo.jsp; Line: 289]
           "/foo.jsp"; //[ /welcome.jsp; Line: 289]
           pageContext.forward(__thePage); //[ /welcome.jsp; Line: 289]
           return; //[ /welcome.jsp; Line: 289]
         } //[ /welcome.jsp; Line: 289]


So the exception was thrown from the line highlighted above