Repository: wicket Updated Branches: refs/heads/master 1c13446b7 -> 44121fc0d
Add a section for CsrfPreventionRequestCycleListener Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/44121fc0 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/44121fc0 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/44121fc0 Branch: refs/heads/master Commit: 44121fc0dc29d4d8ac941e56166cc605d7eb8965 Parents: 1c13446 Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Sun Aug 28 23:22:27 2016 +0200 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Sun Aug 28 23:22:27 2016 +0200 ---------------------------------------------------------------------- .../src/docs/guide/security/security_4_1.gdoc | 18 ++++++++++++++++++ wicket-user-guide/src/docs/guide/toc.yml | 3 ++- 2 files changed, 20 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/44121fc0/wicket-user-guide/src/docs/guide/security/security_4_1.gdoc ---------------------------------------------------------------------- diff --git a/wicket-user-guide/src/docs/guide/security/security_4_1.gdoc b/wicket-user-guide/src/docs/guide/security/security_4_1.gdoc new file mode 100644 index 0000000..0ed7906 --- /dev/null +++ b/wicket-user-guide/src/docs/guide/security/security_4_1.gdoc @@ -0,0 +1,18 @@ + +@CryptoMapper@ helps preventing CSRF attacks by making the urls impossible to be guessed by an attacker but still there is some theoretical chance this to happen. + +To further help against this kind of vulnerability Wicket provides @CsrfPreventionRequestCycleListener@ - a @IRequestCycleListener@ that forbids requests made from a different origin. By default only actions are forbidden, i.e. a request coming from different origin cannot execute @Link#onClick()@ or submit forms (@Form#onSubmit()@). Any request to render pages are still allowed so Wicket pages could be easily embedded in other applications. + +MyApplication.java +{code} + @Override + protected void init() { + super.init(); + getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); + // ... + } +{code} + +@CsrfPreventionRequestCycleListener@ is highly configurable. It allows to define a whitelist of allowed origins via @addAcceptedOrigin(String acceptedOrigin)@, to enable/disable it dynamically by overriding @isEnabled()@, to define different kind of actions when a request is rejected or allowed, to set custom error message and code for the rejected requests. + +@CsrfPreventionRequestCycleListener@ is not an alternative to @CryptoMapper@! Both of them could be used separately or in tandem to prevent CSRF attacks depending on the application requirements. http://git-wip-us.apache.org/repos/asf/wicket/blob/44121fc0/wicket-user-guide/src/docs/guide/toc.yml ---------------------------------------------------------------------- diff --git a/wicket-user-guide/src/docs/guide/toc.yml b/wicket-user-guide/src/docs/guide/toc.yml index 71c19c9..0d0b336 100644 --- a/wicket-user-guide/src/docs/guide/toc.yml +++ b/wicket-user-guide/src/docs/guide/toc.yml @@ -176,7 +176,8 @@ security: security_1: Authentication security_2: Authorizations security_3: Using HTTPS protocol - security_4: URLs encryption in detail + security_4: URLs encryption in detail + security_4_1: CSRF protection security_5: Package Resource Guard security_6: External Security Checks security_7: Summary
