wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension
Repository: wicket Updated Branches: refs/heads/master c819c6c4c -> 247619ab1 WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension Wrap a debug logiing in LOG.isDebugEnabled() Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/247619ab Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/247619ab Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/247619ab Branch: refs/heads/master Commit: 247619ab176c64acc3d07adcc45725e019e11a62 Parents: c819c6c Author: Martin Tzvetanov GrigorovAuthored: Tue Sep 20 22:07:37 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Tue Sep 20 22:07:37 2016 +0200 -- .../protocol/http/CsrfPreventionRequestCycleListener.java| 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/247619ab/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index ce03862..e6b61dc 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; -import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; @@ -358,8 +357,11 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList } else { - log.debug("Targeted page {} was opted out of the CSRF origin checks, allowed", - targetedPage.getClass().getName()); + if (log.isDebugEnabled()) + { + log.debug("Targeted page {} was opted out of the CSRF origin checks, allowed", + targetedPage.getClass().getName()); + } allowHandler(containerRequest, sourceUri, targetedPage); } }
wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension
Repository: wicket Updated Branches: refs/heads/wicket-7.x 2c570edf0 -> 6cd10f970 WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension Wrap a debug logiing in LOG.isDebugEnabled() Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6cd10f97 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6cd10f97 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6cd10f97 Branch: refs/heads/wicket-7.x Commit: 6cd10f970d49ee1cd275c5038aa3c58c9738efaf Parents: 2c570ed Author: Martin Tzvetanov GrigorovAuthored: Tue Sep 20 22:07:37 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Tue Sep 20 22:08:42 2016 +0200 -- .../protocol/http/CsrfPreventionRequestCycleListener.java| 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/6cd10f97/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 4025e7e..72fa4ee 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; -import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; @@ -358,8 +357,11 @@ public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleList } else { - log.debug("Targeted page {} was opted out of the CSRF origin checks, allowed", - targetedPage.getClass().getName()); + if (log.isDebugEnabled()) + { + log.debug("Targeted page {} was opted out of the CSRF origin checks, allowed", + targetedPage.getClass().getName()); + } allowHandler(containerRequest, sourceUri, targetedPage); } }
[3/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/33208213 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/33208213 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/33208213 Branch: refs/heads/wicket-6.x Commit: 3320821343f7957a4850f2d9b61ab18eec55fa62 Parents: 52f0b8a Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:26:57 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 188 +++ 1 file changed, 114 insertions(+), 74 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/33208213/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 3e81252..a3f8320 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String) whitelist those domains}. @@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory; * {@link #isChecked(IRequestHandler)} to customize this behavior. * * - * You can override the
[2/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6c40c919 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6c40c919 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6c40c919 Branch: refs/heads/master Commit: 6c40c919f54fce610c584b9e4ec7925c14a5a19b Parents: c04f2b0 Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:25:21 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 182 +++ 1 file changed, 111 insertions(+), 71 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/6c40c919/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index a2bf124..ce03862 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String) whitelist those domains}. @@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory; * {@link #isChecked(IRequestHandler)} to customize this behavior. * * - * You can override the default
[1/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
Repository: wicket Updated Branches: refs/heads/master c04f2b00b -> 6c40c919f refs/heads/wicket-6.x 52f0b8afa -> 332082134 refs/heads/wicket-7.x 47bc8a8d7 -> 5c345567c WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5c345567 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5c345567 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5c345567 Branch: refs/heads/wicket-7.x Commit: 5c345567c75b3cc1f7e4cce6dcf3e692870b4823 Parents: 47bc8a8 Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:24:57 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 182 +++ 1 file changed, 111 insertions(+), 71 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/5c345567/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 73cebee..4025e7e 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String)