I need to implement a CSRF filter in my application which is running on Tomcat 7. I have Used Tomcat CSRF Filter to make this filter works in my Application. I need to submit every action needs to encoded by HttpServlet#encodeURL
Since my application is very legacy there are lot of jsp's nearly 700 which are calling actions from jsp to jsp or jsp to servlet using Scriptlet tag or Javascript.
How to configure a filter or any kind of mechanism which makes every action which submitted to servlet will be encoded by HttpServletResponse#encodeURL
Anyway I have tried to implement a filter which will wraps Servlet Request with encodedURL,I have followed this link Request URL Rewriting as below.
public class UrlRewriteFilter implements Filter {
@Override
public void init(FilterConfig config) throws ServletException {
//
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
final HttpServletRequest req = (HttpServletRequest) request;
final HttpServletResponse res = (HttpServletResponse) response;
final HttpServletRequestWrapper wrapped = new HttpServletRequestWrapper(req) {
@Override
public StringBuffer getRequestURL() {
final StringBuffer originalUrl = ((HttpServletRequest) req).getRequestURL();
return new StringBuffer(res.encodeURL(req.getRequestURL()));
//I have added in above string Buffer building with including server path, but still no work
}
};
chain.doFilter(wrapped, response);
}
@Override
public void destroy() {
//
}
}
I have tried the above solution, Still Not working
Not working means The filter CsrfPreventionFilter is denying every request by returning 403 code.
if I submit any jsp with response.encodeURL("url") its working.
Please help to suggest anyway which i can write a filter.
