I am attempting to set up the inbuilt CsrfPreventionFilter in Tomcat 8.
I think I have read all the questions and answers in StackOverflow on this subject, but I can still not solve my problem.
I have home.jsp and reports.jsp
The URL of home.jsp (once it has been subjected to response.encodeUrl()) is
www.example.com/home.jsp?org.apache.catalina.filters.CSRF_NONCE=5E4BD8FEE1B4CC1DA79D874905015911
This is rendered correctly, not because the nonce is working, but because I set home.jsp to be an EntryPoint. However it does seem to prove that the CSRFPreventionFilter is up and running and generating nonces successfully.
If I press CTRL+N and then type in www.example.com/reports.jsp and then I add the same nonce, i.e. www.example.com/reports.jsp?org.apache.catalina.filters.CSRF_NONCE=5E4BD8FEE1B4CC1DA79D874905015911 then I get page 403. reports.jsp is not set up as an EntryPoint, but I would expect it to render successfully, as it has been supplied with a nonce.
What am I doing wrong?
(My question is somewhat similar to Getting 403 error when using CSRF filter with tomcat 6.0.32; but I feel that the answer is probably not in the way the CSRFPrevention Filter is set up, but perhaps some issue in the way I am dealing with the response/request internally, akin to @Pankaj Kumar's answer in Not able to authenticate post request for CSRF token with tomcat)
UPDATE
Here is the web.xml configuration
<filter>
<filter-name>CSRFPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
<init-param>
<param-name>entryPoints</param-name>
<param-value>/images/404.JPG,/login.jsp,/home.jsp,/images/im_login.gif,/js/events.js,/js/menu.js,/js/amount_validation.js,/js/calendar.js,/js/toolbar.js,/js/tablesort.js,/js/scripts.js,/css/style.css</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CSRFPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
filter-mappingforCsrfPreventionFilter? – Vengeresponse.encodeUrl()are on home.jsp. – Venge