Hmm, for me it doesn't work. I mount the pages via:
this.mount("/pages/secure", PackageName.forClass(this.getHomePage())); If I try to access the page from machine B with the same jessionid as machine A, then I get redirected to LoginPage. -----Ursprüngliche Nachricht----- Von: Andrew Turner [mailto:grim_toas...@hotmail.com] Gesendet: Mittwoch, 2. Dezember 2009 10:24 An: users@wicket.apache.org Betreff: Session stealing with wicket-auth-roles Good morning all, I'm hoping I've misconfigured something in my application, but we seem to be prone to session stealing in our wicket application. We're using wicket-auth-roles to provide the security, and if you are able to access the jsessionid you can get another machine to log straight into the application as the intercepted user. We're using HTTPS for the communication, so hopefully the likelihood of this occurring is quite small, but we are still being forced to contemplate rewriting the security layer (which I want to avoid if possible). So, my question, have I misconfigured something, or is it just not possible to prevent this sort of attack when using wicket-auth-roles? I've managed to create a completely stripped-down app that still has the problem, below is the AuthenticatedWhenSession implementation. public class HelloWorldWebSession extends AuthenticatedWebSession { public HelloWorldWebSession(Request request) { super(request); } public boolean authenticate(String username, String password) { return "helloUser".equals(username) && "password".equals(password); } public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) : null; } } And the simple page: @AuthorizeInstantiation("USER") public class HelloWorldHomePage extends WebPage { } And the application: public class HelloWorldApplication extends AuthenticatedWebApplication { protected void init() { super.init(); mountBookmarkablePage("home", HelloWorldHomePage.class); mountBookmarkablePage("signin", SignInPage.class); } protected Class<? extends WebPage> getSignInPageClass() { return SignInPage.class; } protected Class<? extends AuthenticatedWebSession> getWebSessionClass() { return HelloWorldWebSession.class; } public Class<? extends Page> getHomePage() { return HelloWorldHomePage.class; } } The URL below, once logged in on one machine, could then be used on multiple machines to bypass the security layer. http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE> Many Thanks Andy _________________________________________________________________ Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy http://clk.atdmt.com/UKM/go/186394592/direct/01/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org