Servlet 3.0 + WAS 8.5 - org.directwebremoting.util.CommonsLoggingOutput error A request has been denied as a potential CSRF attack.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Servlet 3.0 + WAS 8.5 - org.directwebremoting.util.CommonsLoggingOutput error A request has been denied as a potential CSRF attack.

devmgs
In Servlet 2.5 and WebSphere Application server 7.5 Working fine
In Servlet 3.0 and WebSphere Application server 8.5 Giving Error



I get message :
org.directwebremoting.util.CommonsLoggingOutput error A request has been denied as a potential CSRF attack.
I am using dwr inside the web application so ther must not be any Cross Site Referncing but still i get this error.
Problem can be resolved by adding:
<init-param> 
<param-name>crossDomainSessionSecurity</param-name> 
<param-value>false</param-value> 
</init-param>

It works fine in 2.5 servlet without these entries.


But why i have to add this when I am using dwr inside the application (change is i am using Servlet 3.0 now) as it makes dwr vurnerable for security risk.





Reply | Threaded
Open this post in threaded view
|

Re: Servlet 3.0 + WAS 8.5 - org.directwebremoting.util.CommonsLoggingOutput error A request has been denied as a potential CSRF attack.

david@butterdev.com
In the future questions should go to the Users mailing list.
Also, you should always try searching the Users mailing list first, this question has been asked numerous times:

For an answer:
http://dwr.2114559.n2.nabble.com/DWR-CSRF-Security-Error-with-HttpOnly-cookies-td4550130.html#a4550210

On 11/20/2012 03:20 AM, devmgs wrote:
In Servlet 2.5 and WebSphere Application server 7.5 Working fine
In Servlet 3.0 and WebSphere Application server 8.5 Giving Error



I get message :
org.directwebremoting.util.CommonsLoggingOutput error A request has been
denied as a potential CSRF attack.
I am using dwr inside the web application so ther must not be any Cross Site
Referncing but still i get this error.
Problem can be resolved by adding: 
<init-param> 
<param-name>crossDomainSessionSecurity</param-name> 
<param-value>false</param-value> 
</init-param>

It works fine in 2.5 servlet without these entries.


But why i have to add this when I am using dwr inside the application
(change is i am using Servlet 3.0 now) as it makes dwr vurnerable for
security risk.









--
View this message in context: http://dwr.2114559.n2.nabble.com/Servlet-3-0-WAS-8-5-org-directwebremoting-util-CommonsLoggingOutput-error-A-request-has-been-denied--tp7580127.html
Sent from the DWR - Dev mailing list archive at Nabble.com.