Top Level Elements
Apache Tomcat Configuration Reference
Container Provided Filters
Tomcat provides a number of Filters which may be
configured for use with all web applications using
$CATALINA_BASE/conf/web.xml or may be configured for individual
web applications by configuring them in the application's
WEB-INF/web.xml. Each filter is described below.
This description uses the variable name $CATALINA_BASE to refer the
base directory against which most relative paths are resolved. If you have
not configured Tomcat for multiple instances by setting a CATALINA_BASE
directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
the directory into which you have installed Tomcat.
|CSRF Prevention Filter|
This filter provides basic CSRF protection for a web application. The
filter assumes that it is mapped to
/* and that all URLs
returned to the client are encoded via a call to
This filter prevents CSRF by generating a nonce and storing it in the
session. URLs are also encoded with the same nonce. When the next request is
received the nonce in the request is compared to the nonce in the session
and only if they are the same is the request allowed to continue.
|Filter Class Name|
The filter class name for the CSRF Prevention Filter is
The CSRF Prevention Filter supports the following initialisation
A comma separated list of URLs that will not be tested for the
presence of a valid nonce. They are used to provide a way to navigate
back to a protected application after having navigated away from it.
Entry points will be limited to HTTP GET requests and should not trigger
any security sensitive actions.
The number of previously issued nonces that will be cached on a LRU
basis to support parallel requests, limited use of the refresh and back
in the browser and similar behaviors that may result in the submission
of a previous nonce rather than the current one. If not set, the default
value of 5 will be used.
The name of the class to use to generate nonces. The class must be an
java.util.Random. If not set, the default value
java.security.SecureRandom will be used.