This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:CSRF Guard

Revision as of 19:49, 22 April 2007 by Esheridan (talk | contribs)

Jump to: navigation, search

Should this be in the Countermeasure category and listed on

Absolutely - fixed

Having hard time to get it working with Weblogic 8.1

I tried it out. For some reason, I always get this following statck trace. Could you please help?

java.lang.IllegalStateException: response already committed
        at weblogic.servlet.jsp.JspWriterImpl.clear(
        at jsp_servlet.__welcome._jspService(
        at weblogic.servlet.jsp.JspBase.service(
        at weblogic.servlet.internal.ServletStubImpl$
        at weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubIm
        at weblogic.servlet.internal.TailFilter.doFilter(
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
        at org.owasp.csrf.CSRFGuard.doChain(
        at org.owasp.csrf.CSRFGuard.doFilter(
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.ja
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationActio
        at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppSe
        at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestIm
        at weblogic.kernel.ExecuteThread.execute(

This exception occurs when your application tries to write to a response that
has already been committed. In this case, we use a MutableHttpRequest, which
should capture all these writes and allow us to change them later in the filter.
However, there may be a few methods - like addHeader perhaps - that aren't handled
in the MutableHttpRequest. This is just a guess.  Can you share what's happening
in your JSP (welcome.jsp) that causes this error?
--Jeff Williams 17:22, 20 April 2007 (EDT)

In welcome.jsp:

It does the following:

<jsp:forward page="/foo.jsp" />

and this line translates to the following java code by the weblogic jsp compiler:

         if (true) { //forwarding request //[ /welcome.jsp; Line: 289]

out.clear(); // clear current output buffer //[ /welcome.jsp; Line: 289]

           String __thePage =  //[ /welcome.jsp; Line: 289]
           //[ /foo.jsp; Line: 289]
           "/foo.jsp"; //[ /welcome.jsp; Line: 289]
           pageContext.forward(__thePage); //[ /welcome.jsp; Line: 289]
           return; //[ /welcome.jsp; Line: 289]
         } //[ /welcome.jsp; Line: 289]

So the exception was thrown from the line highlighted above

In the decompiled JspWriterImpl.class:

It shows:

   public void clear()
       throws IOException
           throw new IllegalStateException("response already committed");
       if(co != null)



After reviewing your stacktrace, my initial response was the same as Jeff's: there is a clear() method that the MutableHttpResponse
object does not override. Unfortunately, I am unable to locate this method in neither HttpServletResponse nor ServletResponse. I have,
however, been working on an updated version of the OWASP CSRFGuard. This version does a much better job of overriding only
the appropriate servlet methods. I would be interested if you run into the same problems with this newer version. You can grab the
project here - In the tar file, under dist, is a compiled version of the
latest CSRFGuard. The following are the installation steps:

1. Untar the download
2. Copy ./dist/CSRFGuard-2.0.jar and ./lib/htmlparser.jar to the appropriate library location in WebLogic (./common/lib?)
3. Copy ./config/CSRFGuard.xml and ./config/CSRFGuardSchema.xsd to the appropriate WEB-INF directory.
4. Modify the entries in CSRFGuard.xml to contain only the pages that you wish to protect.

Please keep me informed of any troubles you run into when using this version. I would find your input very valuable in deciding what
needs to be addressed before releasing a final version of CSRFGuard 2.0. Hopefully your issue can be resolved with this release.

-Eric Sheridan