Develop Reference

Spring CSRF not working on Tomcat 7.0.28

I have a web application which uses Spring Security, version 4.0.1 and Spring version 4.1.6.
In every page of the web app I have the
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
parameter which sends the CSRF token to the server. Now my problem is that if I see the source code of the jsp I have
<input type="hidden" name="" value=""/>
so the token is not sent to the server and the post action results in the message HTTP Status 405 - Request method 'POST' not supported
If I deploy the same web application on Tomcat 7.0.5.x everything works fine, and it also works fine in WAS 7, WAS 8.5 and Jboss EAP 6.4.
I can not understand why on this version of Tomcat (7.0.28), which I downloaded from the web site without changing anything about configuration etc. , the CSRF protection offered by Spring Security is not working.

I faced the same problem: Tomcat 7.0.28 is not able to auto detect spring security filter.
My solution is to add this :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to the web.xml and try again.

Open tomacat/confg folder
see there is a file Context.xml and open it
change <Context> to <Context useHttpOnly="false">
then you have done.

How to temporarily disable Spring Security in Spring Web App

First, I am a complete noob when it comes to Spring. An application was left to me to work on by a colleague who is now on vacation. He told me to leave security alone, as the final approach is not decided yet, and just develop the rest of the application.
However security is enabled and prevents access to the main web page. I've checked several documents including
Disable Spring Security from spring-security.xml file
Disable Basic Authentication while using Spring Security Java configuration
http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-security.html
http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html
without finding an answer that works.
I did the following:
Added index.html to <welcome-file-list> in web.xml. This directs me to the login page which was already included in the package I took over. So, I figured I could simply disable security.
In the spring security.xml added the attribute security="none". Now I no longer get the login page. I get a blank page.
In web.xml disabled
<!-- <filter> -->
<!-- <filter-name>springSecurityFilterChain</filter-name> -->
<!-- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> -->
<!-- </filter> -->
<!-- <filter-mapping> -->
<!-- <filter-name>springSecurityFilterChain</filter-name> -->
<!-- <url-pattern>/*</url-pattern> -->
<!-- </filter-mapping> -->
Still get blank page.
I see lots of other advice, but it assumes a lot more Spring knowledge than I currently have.
For example in the 4th link above I see:
If you define a #Configuration with #EnableWebSecurity anywhere in
your application it will switch off the default webapp security
settings in Spring Boot.
I don't know what they mean. I assume this means to put these annotations on some method somewhere, but I can't believe that this can go ANYWHERE in any java class in the application. Is there an example of doing this?
Can someone point me in the correct direction? Thanks.

Comment out <intercept-url pattern="" access="" /> tags in security XML file and give access to all the pages. This should work.

This seemed to work (in spring-security.xml)
<!-- <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> -->
<intercept-url pattern="/**" access="permitAll" />

check your web.xml or your appContext.xml to find where is loaded the spring security.xml beans(it will be like <import resource=../spring security.xml>) and comment this out , also check the beans that are loaded from there before disabling it , cause it might redirecting or whatever

Issue with all my requests going twice through our filters on Tomcat 7

I have a problem with Tomcat 7, where all my requests are going twice through our filters. This results in a web-page where static text is displayed twice and all our ajax requests are also displayed twice. This started happening when we implemented the security filter shown below:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/system/*</url-pattern>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
When I deploy the same war-file on jetty 9 or tomcat 6 it works just fine! Does anyone know how to solve this issue?!
Setup:
Tomcat: 7.0.52
Spring: 3.2.8.RELEASE
Spring-security: 3.2.1.RELEASE
Apache Tiles: 3.0.3
We have tried the following with no luck:
reimplementing apache tiles
added this to /conf/context.xml: <Context resourceOnlyServlets="">
changed the order of our filters

mixing user session data in jboss

if someone can help with JBoss returning data from wrong user. Our setup is JBOSS 7.1.1 with Vaadin 7.1.6 and Shiro.
Our current problem is when multiple users use our Vaadin application it frequently returning data from other users to another curently loged user,. ie it is mixing users data. We have tried reinstaling the PC, changing browsers, disabling caching..., nothing helped. We aded CDI UI addon from Vaadin but it doesnt help.
Our previous issue with similar problem
Shiro returning wrong user data
We resolved some other authentication problems with disabling push but this problem stil persist.
Any help apreciated

I have the same problem but when i got to this page my web.xml was already setup.
I´m using JBoss AS 7.1.1, JSF 2 and Shiro. A user receive data from another sessionScope ManagedBean after an ajax call.
Any help apreciated.

If enyone else has the same issue, this is what you need to add to your web.xml:
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
...
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>

Caching with Tuckey UrlRewrite

I am trying to cache images, js and css by configuring the cache settings in urlrewrite.
My js/css files are getting cached as expected but the images won't. I am unable to see the Expires header for the images, despite of various combinations of configurations.
Here's the configuration in urlrewrite.xml:
<rule>
<from>^.*\.(js|css|jpeg|jpg|png)$</from>
<set type="expires">2 years</set>
</rule>
Here's how the directories (and files) look like on the server
/html/images/foo.jpg
/html/js/bar.js
/html/css/xyz.css
/WEB-INF/urlrewrite.xml
/WEB-INF/web.xml
I have hunted for configurations everywhere I could think of and there is no specific configuration for images.
Where should I look further? Any help would be appreciated. Thank You.
PS : I have a struts/spring project.

in which application server you are deploying tomcat?
if yes
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
<init-param>
<param-name>ExpiresByType image</param-name>
<param-value>access plus 100000 minutes</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType text/css</param-name>
<param-value>access plus 100000 minutes</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType application/javascript</param-name>
<param-value>access plus 10000 minutes</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ExpiresFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
use this url rewrite not required

First:
You should post all your url rewrite configuration you have.
Second:
Always check documentation for examples, i dont see what have you tried.
url rewrite version 4.0
url rewrite version 3.0
Three:
Know what version your working on.
Finally:
Here is Solution i did and its working nice.
The portion i have to modify in my case is adding the both lines
in three places yes three. why keep reading ))
<set type="response-header" name="Cache-Control">max-age=290304000</set>
<set type="expires" name="expires">24 hours</set>
......
<rule>
<from>/images/((?:(?!/).)*)/(.*)$</from>
<to encode="true" last="true" qsappend = "true">/files/get.html?file=$2&preset=$1</to>
<set type="response-header" name="Cache-Control">max-age=290304000</set>
<set type="expires" name="expires">24 hours</set>
</rule>
<outbound-rule>
<from>/images/(.*)/(.*).(jpg|png|jpeg|gif).html</from>
<to>/images/$1/$2.$3</to>
<set type="response-header" name="Cache-Control">max-age=290304000</set>
<set type="expires" name="expires">24 hours</set>
</outbound-rule>
<rule>
<from>/files/original/(.*)$</from>
<to encode="true" last="true" qsappend = "true">/files/get.html?file=$1</to>
<set type="response-header" name="Cache-Control">max-age=290304000</set>
<set type="expires" name="expires">24 hours</set>
</rule>
Reason:
Depending on your settings for your project there is rules
and there is out bound and other stuff ; they might re write
the url several times according to your rules complexity and logic
so in my case tried to do it with minimum addition but, it did not
work only when i add it to the three places ( without showing all my rules but you got the idea :) )
And i did this as well its Better Approach as well
Using APACHE configuration