Repository: wicket Updated Branches: refs/heads/wicket-6.x 0884cddd3 -> 13e5d202c
WICKET-6274 Add origin header to ajax requests in BaseWicketTester Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/13e5d202 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/13e5d202 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/13e5d202 Branch: refs/heads/wicket-6.x Commit: 13e5d202ca0772c7a121f78357806f45b95533b8 Parents: 0884cdd Author: Artur MichaÅowski <[email protected]> Authored: Sun Nov 6 15:33:04 2016 +0100 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Mon Nov 14 21:29:40 2016 +0100 ---------------------------------------------------------------------- .../CsrfPreventionRequestCycleListener.java | 5 ++- .../wicket/util/tester/BaseWicketTester.java | 16 ++++++- .../CsrfPreventionRequestCycleListenerTest.java | 45 ++++++++++---------- .../apache/wicket/request/http/WebRequest.java | 4 ++ 4 files changed, 44 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/13e5d202/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index a3f8320..49cd813 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -34,6 +34,7 @@ import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; import org.apache.wicket.request.cycle.RequestCycle; +import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException; import org.apache.wicket.util.lang.Checks; import org.apache.wicket.util.string.Strings; @@ -381,10 +382,10 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList */ protected String getSourceUri(HttpServletRequest containerRequest) { - String sourceUri = containerRequest.getHeader("Origin"); + String sourceUri = containerRequest.getHeader(WebRequest.HEADER_ORIGIN); if (Strings.isEmpty(sourceUri)) { - sourceUri = containerRequest.getHeader("Referer"); + sourceUri = containerRequest.getHeader(WebRequest.HEADER_REFERER); } return normalizeUri(sourceUri); } http://git-wip-us.apache.org/repos/asf/wicket/blob/13e5d202/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java b/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java index 600da9f..4e4332b 100644 --- a/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java +++ b/wicket-core/src/main/java/org/apache/wicket/util/tester/BaseWicketTester.java @@ -117,6 +117,7 @@ import org.apache.wicket.request.cycle.RequestCycle; import org.apache.wicket.request.cycle.RequestCycleContext; import org.apache.wicket.request.handler.render.PageRenderer; import org.apache.wicket.request.handler.resource.ResourceReferenceRequestHandler; +import org.apache.wicket.request.http.WebRequest; import org.apache.wicket.request.http.WebResponse; import org.apache.wicket.request.mapper.IRequestMapperDelegate; import org.apache.wicket.request.mapper.parameter.PageParameters; @@ -1157,8 +1158,9 @@ public class BaseWicketTester Charset.forName(request.getCharacterEncoding())); transform(url); request.setUrl(url); - request.addHeader("Wicket-Ajax-BaseURL", url.toString()); - request.addHeader("Wicket-Ajax", "true"); + request.addHeader(WebRequest.HEADER_ORIGIN, createOriginHeader()); + request.addHeader(WebRequest.HEADER_AJAX_BASE_URL, url.toString()); + request.addHeader(WebRequest.HEADER_AJAX, "true"); if (behavior instanceof AjaxFormSubmitBehavior) { @@ -1178,6 +1180,16 @@ public class BaseWicketTester processRequest(); } + + /** + * Build value to Origin header based on RequestCycle Url + * + * @return Origin header + */ + protected String createOriginHeader(){ + Url url = RequestCycle.get().getRequest().getUrl(); + return url.getProtocol() + "://" +url.getHost() + ":" + url.getPort(); + } /** * http://git-wip-us.apache.org/repos/asf/wicket/blob/13e5d202/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java index a20aec1..57016a9 100644 --- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java @@ -25,6 +25,7 @@ import org.apache.wicket.WicketTestCase; import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.CsrfAction; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.component.IRequestablePage; +import org.apache.wicket.request.http.WebRequest; import org.junit.Before; import org.junit.Test; @@ -50,7 +51,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase // Rendering a page is allowed, regardless of Origin (this allows external links into your // website to function) - tester.addRequestHeader("Origin", "https://google.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "https://google.com/";); tester.startPage(FirstPage.class); tester.assertRenderedPage(FirstPage.class); @@ -72,7 +73,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void disabledListenerDoesntCheckMismatchedOrigin() { csrfEnabled = false; - tester.addRequestHeader("Origin", "http://malicioussite.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://malicioussite.com/";); tester.clickLink("link"); assertOriginsNotChecked(); tester.assertRenderedPage(SecondPage.class); @@ -114,7 +115,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void matchingOriginsAllowed() { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://localhost/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost/";); tester.clickLink("link"); @@ -127,7 +128,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase public void conflictingOriginsAllowed() { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -139,7 +140,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginsSuppressed() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); tester.clickLink("link"); @@ -152,7 +153,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginsAborted() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -166,7 +167,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setErrorCode(401); setErrorMessage("NOT AUTHORIZED"); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setNoOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -180,7 +181,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase { csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); csrfListener.addAcceptedOrigin("example.com"); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -195,7 +196,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.addAcceptedOrigin("example.com"); csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://foo.example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://foo.example.com/";); tester.clickLink("link"); @@ -210,7 +211,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void conflictingOriginPageNotCheckedAllowed() { - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); // disable the check for this page @@ -240,7 +241,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setSuppressHandler(thirdPageRedirect); csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -266,7 +267,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase setAllowHandler(thirdPageRedirect); csrfListener.setConflictingOriginAction(CsrfAction.ALLOW); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); tester.clickLink("link"); @@ -291,7 +292,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase }; setAbortHandler(thirdPageRedirect); - tester.addRequestHeader("Origin", "http://example.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://example.com/";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -309,7 +310,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void differentPortOriginAborted() { - tester.addRequestHeader("Origin", "http://localhost:8080";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost:8080";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -321,7 +322,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void differentSchemeOriginAborted() { - tester.addRequestHeader("Origin", "https://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "https://localhost";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -333,7 +334,7 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase @Test public void longerOriginAllowed() { - tester.addRequestHeader("Origin", "http://localhost/supercalifragilisticexpialidocious";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost/supercalifragilisticexpialidocious";); csrfListener.setConflictingOriginAction(CsrfAction.ABORT); tester.clickLink("link"); @@ -349,14 +350,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.ABORT); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.clickLink("link", true); assertConflictingOriginsRequestAborted(); @@ -369,14 +370,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.clickLink("link", true); assertConflictingOriginsRequestSuppressed(); @@ -390,14 +391,14 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase csrfListener.setConflictingOriginAction(CsrfAction.SUPPRESS); // first render a page in the user's session - tester.addRequestHeader("Origin", "http://localhost";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://localhost";); tester.startPage(ThirdPage.class); assertOriginsNotChecked(); tester.assertRenderedPage(ThirdPage.class); // then click on a link from another external page - tester.addRequestHeader("Origin", "http://attacker.com/";); + tester.addRequestHeader(WebRequest.HEADER_ORIGIN, "http://attacker.com/";); tester.submitForm("form"); assertConflictingOriginsRequestSuppressed(); http://git-wip-us.apache.org/repos/asf/wicket/blob/13e5d202/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java ---------------------------------------------------------------------- diff --git a/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java b/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java index fbadee2..1ac1596 100644 --- a/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java +++ b/wicket-request/src/main/java/org/apache/wicket/request/http/WebRequest.java @@ -47,6 +47,10 @@ public abstract class WebRequest extends Request public static final String HEADER_AJAX_BASE_URL = "Wicket-Ajax-BaseURL"; /** anti-cache query parameter added by Wicket.Ajax.Request at its URL */ public static final String PARAM_AJAX_REQUEST_ANTI_CACHE = "_"; + /** {@code Origin} http header */ + public static final String HEADER_ORIGIN = "Origin"; + /** {@code Referer} http header */ + public static final String HEADER_REFERER = "Referer"; /** * @return request cookies
