Hmm, for me it doesn't work.
I mount the pages via:
this.mount("/pages/secure", PackageName.forClass(this.getHomePage()));
If I try to access the page from machine B with the same jessionid as machine
A, then I get redirected to LoginPage.
-----Ursprüngliche Nachricht-----
Von: Andrew Turner [mailto:grim_toas...@hotmail.com]
Gesendet: Mittwoch, 2. Dezember 2009 10:24
An: users@wicket.apache.org
Betreff: Session stealing with wicket-auth-roles
Good morning all,
I'm hoping I've misconfigured something in my application, but we seem to be
prone to session stealing in our wicket application. We're using
wicket-auth-roles to provide the security, and if you are able to access the
jsessionid you can get another machine to log straight into the application as
the intercepted user. We're using HTTPS for the communication, so hopefully
the likelihood of this occurring is quite small, but we are still being forced
to contemplate rewriting the security layer (which I want to avoid if possible).
So, my question, have I misconfigured something, or is it just not possible to
prevent this sort of attack when using wicket-auth-roles?
I've managed to create a completely stripped-down app that still has the
problem, below is the AuthenticatedWhenSession implementation.
public class HelloWorldWebSession extends AuthenticatedWebSession {
public HelloWorldWebSession(Request request) { super(request); }
public boolean authenticate(String username, String password) { return
"helloUser".equals(username) && "password".equals(password); }
public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) :
null; }
}
And the simple page:
@AuthorizeInstantiation("USER")
public class HelloWorldHomePage extends WebPage { }
And the application:
public class HelloWorldApplication extends AuthenticatedWebApplication {
protected void init() {
super.init();
mountBookmarkablePage("home", HelloWorldHomePage.class);
mountBookmarkablePage("signin", SignInPage.class);
}
protected Class<? extends WebPage> getSignInPageClass() { return
SignInPage.class; }
protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
return HelloWorldWebSession.class; }
public Class<? extends Page> getHomePage() { return
HelloWorldHomePage.class; }
}
The URL below, once logged in on one machine, could then be used on multiple
machines to bypass the security layer.
http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE>
Many Thanks
Andy
_________________________________________________________________
Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy
http://clk.atdmt.com/UKM/go/186394592/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
