As you may know by now, we released GlassFish 3.1.2 yesterday. Tim Quinn has a nice overview of some of the security-related changes, but one change he didn’t cover was one in the RESTful administration area, namely CSRF protection. I won’t go into the details of what CSRF attack is here, but I do want to show we’ve added protections to GlassFish to make sure the server is as secure as possible.
For the curious, we implemented the CSRF protection using a filter provided by the Jersey team. As you can see from the javadoc, this change only affects requests that change state (POST, PUT, DELETE, etc).
To update your client code, all you need to do is add the
X-Requested-By header. Its value doesn’t matter:
curl -X POST -H 'X-Requested-By: YeaGlassFish' -d key=value \ http://localhost:4848/management/domain/path/to/resource
That’s all there is to it. It’s a very simple change, but an important one. If you run into any issues with this, please let us know!