[
https://issues.apache.org/jira/browse/WICKET-5326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14135913#comment-14135913
]
SATISH GUTTA commented on WICKET-5326:
--------------------------------------
I am attaching Wicket_6_1_6_QuickStart which covers 1 and 2 explained below.
Please note I have web.xml entry "<session-timeout>2</session-timeout>" which
makes it easier to replicate session expiry in 2 mins
Quick Start Application flow:
2.1 Hit root url http://localhost:8080, you will navigate to home page
with a link to First Navigation page.
2.2 In First Navigation Page we have a link to Second Navigation Page.
2.3 In Second Navigation Page we have a link back to home page.
1. To prevent XSRF attacks we have overridden the following default wicket
settings in org.apache.wicket.protocol.http.WebApplication#init() method.
getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory());
setRootRequestMapper(new
CryptoMapper(getRootRequestMapperAsCompound(), this));
With the above setting home page urls/links are unencrypted and
exposed. When you navigate past home page, urls/links are encrypted.
This problem I am trying to explain is already in comments
posted by Walter B. Rasmann added a comment - 05/Sep/13 14:07,
but I am not finding a clear answer explaining this
behavior.
2. The second problem is on Session expiry, you click on a link in home page
You are remain on home page, you neither navigated to the
link you clicked nor redirected to PageExpired page which is configured
in
org.apache.wicket.protocol.http.WebApplication#init() method as follows
getApplicationSettings().setPageExpiredErrorPage(PageExpired.class);
mountPage("/" + PageExpired.STATUS_CODE,
PageExpired.class);
With that said, the behavior is different when links
on other pages (link in First Navigation page from quick start)
are clicked on session expiry, you actually hit
PageExpired page.
Why is the behavior different for home page links
compared to links on other pages when it comes to session expiry ?
> Wicket doesn't encrypt links and Ajax URLs when CryptoMapper is used
> --------------------------------------------------------------------
>
> Key: WICKET-5326
> URL: https://issues.apache.org/jira/browse/WICKET-5326
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 6.10.0
> Environment: Linux
> Reporter: Walter B. Rasmann
> Assignee: Martin Grigorov
> Labels: security
> Attachments: 5326.tar.gz, QueryParameterCryptoMapper.java,
> Wicket_6_1_6_QuickStart.zip
>
>
> URL encryption does not work in Wicket links and Ajax URLs.
> For links the URL appears unencrypted in the href attribute value and is only
> later forwarded to the encrypted URL using a 302 response.
> I am uploading a quickstart.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
