CSRF protection module

Tue, 14 Jun 2011 07:01:09 -0700 

Hi, 

if somebody is interested on the current status of the CSRF protection a
maven repository is now available.

Add the following settings to your Tapestry pom.xml:

<repositories>

        <repository>
                        <id>csrfprotection-snapshots</id>
                
<url>https://gsoc2011-csrf-protection.googlecode.com/svn/maven/snapshot-repo</url>
        </repository>
</repositories>

<dependencies>

        <dependency>
                <groupId>org.apache.tapestry</groupId>
                <artifactId>csrfprotection</artifactId>
                <version>0.1-SNAPSHOT</version>
        </dependency>
</dependencies>

The CSRF protection module is compatible with the current Tapestry
5.3.0-SNAPSHOT, so you have to switch to that version:
<properties>
        <tapestry-release-version>5.3.0-SNAPSHOT</tapestry-release-version>
</properties>

Usage:

This module provides the following artefacts:
csrfprotection/CsrfProtected mixin
@CsrfProtected annotation

The mixin can be applied on any component. In the afterRender method it
calls the insertCSRFToken method of the component. If the component does not
provide this method it is added by a ComponentClassTransformWorker that
scans all controlled packages for components. For known components an
optimized method is created for other components a generic method is created
that works with an XPath expression.

The annotation can be applied on eventHandler Methods, e.g. onSuccess() or
on Page classes. The ComponentClassTransformWorker adds a simple advice that
checks the client token against the server token. If the annotation is used
on the Page class, this check is performed with the activate event of the
Page. In this way components like BeanEditForm can be protected since the
event handling method might not be included in the page class. The protected
Page class is not required to implement the onActivate method.

If the token check fails an CsrfException is thrown.

The anti CSRF token is currently session based.

Best regards,
Markus









--
View this message in context: 
http://tapestry.1045711.n5.nabble.com/CSRF-protection-module-tp4487920p4487920.html
Sent from the Tapestry - Dev mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to