GlassFish 3.1.2 and REST Security
Thursday, March 01, 2012 |As you may know by now, we released GlassFish 3.1.2 yesterday. Tim Quinn has a nice overview of some of the security-related changes, but one change he didn’t cover was one in the RESTful administration area, namely CSRF protection. I won’t go into the details of what CSRF attack is here, but I do want to show we’ve added protections to GlassFish to make sure the server is as secure as possible.
For the curious, we implemented the CSRF protection using a filter provided by the Jersey team. As you can see from the javadoc, this change only affects requests that change state (POST, PUT, DELETE, etc).
To update your client code, all you need to do is add the X-Requested-By header. Its value doesn’t matter:
1
2
curl -X POST -H 'X-Requested-By: YeaGlassFish' -d key=value \
http://localhost:4848/management/domain/path/to/resource
That’s all there is to it. It’s a very simple change, but an important one. If you run into any issues with this, please let us know!
My name is Jason Lee. I am a software developer living in the middle of Oklahoma. I’ve been a professional developer since 1997,
using a variety of languages, including Java, Javascript, PHP, Python, Delphi, and even a bit of C#. I currently work for Red Hat
on the WildFly/EAP team, where, among other things, I maintain integrations for some MicroProfile specs, OpenTelemetry, Micrometer,
Jakarta Faces, and Bean Validation. (Full resume 