Hi, I have now implemented a rough first draft of a possible CSRF protection mechanism, just to get in touch with Tapestry internals. I would like to take this is the starting point for a discussion how the final solution should look like.
I have implemented the following artefacts: -) a mixin called Protected - attached to a form component it adds a hidden input field named formtoken and puts an UUID there. The same token is also stored in the session at the server side. -) an annotation called Protected - a event handler method marked with this annotation performs a check of the http reqeuest parameter formtoken against the session attribute formtoken. If both are equal everything is fine otherwise an exception is thrown. Therefore I needed a ProtectedWorker class that does the actual class transformation for all methods that use the Protected annotation and configured it in the AppModule. No change of the tapestry source code was required so everything is available in my example project: http://code.google.com/p/gsoc2011-csrf-protection/ There is also a description in my blog: http://viennamarkus.blogspot.com/2011/05/to-get-in-touch-with-tapestry-internals.html This mechanism only solves the problem for form based requests, for actionLink based requests I still have to implement a first prototype. Based on my experience so far, I will make some suggestions how the CSRF protection mechanism should finally look like. For example the following decisions have to made: -) storing the token for comparison in the client cookie and not in the session -) generating a token only once for a whole user session -) AJAX requests would make a problem in the current solution because the server may update the token, but the client does not -) extending all existing components with an implicit protection that can be switched on and off in the AppModule -) ... I am open to any kind of feedback, Kind Regards, Markus -- View this message in context: http://tapestry.1045711.n5.nabble.com/CSRF-protection-tp4379034p4396015.html Sent from the Tapestry - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
