You can prevent cross-site request forgery attacks by registering the org.glassfish.jersey.sever.
with the Jersey application. This indicates that the filter expects
filter.CsrfProtectionFilterX-Requested-By
to be set on the header of every request except for those that do not change state, such as a GET request. If the X-Requested-By
header is not found, a 400 Bad Request is returned to the client.
The Nucleus component for CsrfProtectionFilter
allows easy registration of the filter. The following is an example of a CsrfProtectionFilter.properties
file:
$class=org.glassfish.jersey.server.filter.CsrfProtectionFilter $classloader=/atg/dynamo/service/jaxrs/JerseyClassLoaderService
The filter should be registered as a provider with the /atg/dynamo/service/jaxrs/
Nucleus component by adding the following to the
ApplicationServiceApplicationServices.properties
file:
providerInstances+=/atg/dynamo/service/jaxrs/security/CsrfProtectionFilter
For additional information on endpoint security, refer to Configuring Endpoint Security.