You can prevent cross-site request forgery attacks by registering the org.glassfish.jersey.sever. with the Jersey application. This indicates that the filter expects
filter.CsrfProtectionFilterX-Requested-By to be set on the header of every request except for those that do not change state, such as a GET request. If the X-Requested-By header is not found, a 400 Bad Request is returned to the client.
The Nucleus component for CsrfProtectionFilter allows easy registration of the filter. The following is an example of a CsrfProtectionFilter.properties file:
$class=org.glassfish.jersey.server.filter.CsrfProtectionFilter $classloader=/atg/dynamo/service/jaxrs/JerseyClassLoaderService
The filter should be registered as a provider with the /atg/dynamo/service/jaxrs/ Nucleus component by adding the following to the
ApplicationServiceApplicationServices.properties file:
providerInstances+=/atg/dynamo/service/jaxrs/security/CsrfProtectionFilter
For additional information on endpoint security, refer to Configuring Endpoint Security.
