servlet filters - CSRF Filtering using GWT RequestFactoryServlet -
i implementing token based system prevent csrf attacks in request factory based gwt app.
to implement filter on server side have overridden dopost method on requestfactoryservlet, thus:
@override protected void dopost(httpservletrequest request, httpservletresponse response) throws ioexception, servletexception { string sessiontoken = csrftokenmanager.gettoken(request.getsession()); string requesttoken = request.getheader(csrftokenmanager.csrf_token_name); if (sessiontoken.equals(requesttoken)) { super.dopost(request, response); } else { logger.error(string.format("received unsafe http request [%s]", getfullrequest(request))); response.senderror(401,"unsafe http request"); } } this works in not allow requests without valid token processed, , logs contain suitable message, error 500-internal server error rather 401.
can shed light on why , should doing differently?
there little information provided on reason 500 internal server error. please share exception stack trace ( 500 internal server error have thrown one).
also avoid implementing custom 1 if not based on gwt recommendation. read stackoverflow query on csrf requestfactory.
Comments
Post a Comment