Issues with specifying unprotected pages in CSRFGuard3 Configuration

[Neeraj Kumar]

Experts,

I was trying to get CSRFGuard3 working for my Java application. The documentation didn't seem to help me here as I couldn't find any valid way to specify the unprotected pages for my app.

I have two small queries:

1) Is there a specific meaning of MYTAG in org.owasp.csrfguard.unprotected.<MYTAG>=/xyz/ ? I mean, does csrfguard look for these tags in a specified set of tags and may not function correctly if I give a random tag here like "MYTAG" in this example?

2) My webapp structure looks like this:

/admin/util/  - There are multiple .jsp, .js and .ico

/admin/util/charts/ - Again there are multiple .jsp, .js and .ico 

I want /admin/util/*.js and /admin/util/*.ico need to be unprotected. Is there a way to specify this withing one unprotected tag? If yes, how?

Any help would be appreciated.

Thanks.

Neeraj