Coming Up for Air

GlassFish 3.1.2 and REST Security

Thursday, March 01, 2012 |

As you may know by now, we released GlassFish 3.1.2 yesterday. Tim Quinn has a nice overview of some of the security-related changes, but one change he didn’t cover was one in the RESTful administration area, namely CSRF protection. I won’t go into the details of what CSRF attack is here, but I do want to show we’ve added protections to GlassFish to make sure the server is as secure as possible.

For the curious, we implemented the CSRF protection using a filter provided by the Jersey team. As you can see from the javadoc, this change only affects requests that change state (POST, PUT, DELETE, etc). To update your client code, all you need to do is add the X-Requested-By header. Its value doesn’t matter:

curl -X POST -H 'X-Requested-By: YeaGlassFish' -d key=value \

That’s all there is to it. It’s a very simple change, but an important one. If you run into any issues with this, please let us know!



    Sample quote

    Quote source


    My name is Jason Lee. I am a software developer living in the middle of Oklahoma. I’ve been a professional developer since 1997, using a variety of languages, including Java, Javascript, PHP, Python, Delphi, and even a bit of C#. I currently work for Red Hat on the WildFly/EAP team, where, among other things, I maintain integrations for some MicroProfile specs, OpenTelemetry, Micrometer, Jakarta Faces, and Bean Validation. (Full resume here. LinkedIn profile)

    I am the president of the Oklahoma City JUG, and an occasional speaker at the JUG and a variety of technical conferences.

    On the personal side, I’m active in my church, and enjoy bass guitar, running, fishing, and a variety of martial arts. I’m also married to a beautiful woman, and have two boys, who, thankfully, look like their mother.

    My Links