Posted by Tyler Borland on Jun 19
I just saw this on reddit and have some questions that may answer my
question on why this took so long when tokens were implemented in other
areas of the product.
To start with, you seem to be able to disable three things. Application
security seems to be disabled by default and Java 2 Security would just
weaken certain points, if I have this correct due to IBM documentation.
The question I have is with the Administrative Security disablement….
Source: Re: CORE-2010-1021: IBM WebSphere Application Server Cross-Site Request Forgery