On Fri, Oct 30, 2015 at 6:19 PM, Martijn Dashorst < [email protected]> wrote:
> Use the CsrfPreventionRequestCycleListener. It checks the origin > header and prevents requests from untrusted origins, which the > cryptomapper doesn't do. That just encrypts the URLs, making them hard > to guess, but doesn't prevent anyone from calling such an URL from a > different origin. > This deserves a section at https://ci.apache.org/projects/wicket/guide/7.x/guide/security.html > > Martijn > > > On Fri, Oct 30, 2015 at 4:41 PM, Mihir Chhaya <[email protected]> > wrote: > > Hello, > > > > I have read Wicket CSRF related posts on wicket forum before posting this > > question. > > I could not find one with detail I am looking for. If I have missed any, > > please redirect me to the link. > > > > I am looking into CSRF and Wicket 7 default settings. Everything seems > fine > > with use of CryptoMapper (which by default uses > > KeyInSessionSunJceCryptFactory) to handle CSRF attack. > > > > But I am not sure if Wicket still prevents against CSRF if CryptoMapper > is > > not used. Does default mapper inherently uses > > KeyInSessionSunJceCryptFactory? The documentation says > > KeyInSessionSunJceCryptFactory is default only for ICrypt implementation > > objects. If not, then should one use CsrfPreventionRequestCycleListener? > > > > If default anti-CSRF is already set like CryptoMapper, which Wicket > source > > class I can look into for > > better understanding? > > > > Thanks in advance, > > -Mihir. > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
