Re: Balancer + HTTPS
Hi Martin, The #sendRedirect sends a relative URL and them the servlet generates the Location header with the original location with HTTP instead the X-Forwarded-Proto scheme. The balancer also sends a X-Host header, so I had to concatenate the host and scheme to the URL before the #sendRedirect call. Thanks. On Mon, May 15, 2017 at 11:21 AM, Marcel Barbosa Pinto < marcel.po...@gmail.com> wrote: > Hi Martin, > > I've found something that could be related, at this line below, a new Url > instance is created without being configured with the protocol. Is this URL > relative or absolute? > > https://github.com/apache/wicket/blob/9e42a9548adb0da540e4e87d491f58 > 24e778537e/wicket-core/src/main/java/org/apache/wicket/ > core/request/mapper/PageInstanceMapper.java#L129 > > I'll will try to debug the code later. > Thanks. > > > > > On Mon, May 15, 2017 at 3:56 AM, Martin Grigorov> wrote: > >> Hi, >> >> Put a breakpoint at org.apache.wicket.request.Url#getProtocol() and see >> what it returns. >> I guess the redirect is an absolute url and that's why it breaks. >> See org.apache.wicket.protocol.http.servlet.ServletWebResponse#s >> endRedirect >> >> Martin Grigorov >> Wicket Training and Consulting >> https://twitter.com/mtgrigorov >> >> On Mon, May 15, 2017 at 5:01 AM, Marcel Barbosa Pinto < >> marcel.po...@gmail.com> wrote: >> >> > Hi, >> > >> > I am using a balancer which sends the X-Forwarded-Proto header to my >> Wicket >> > application. >> > >> > I`ve added the following filters: >> > >> > getFilterFactoryManager() >> > > .addSecuredRemoteAddressRequestWrapperFactory(null) >> > > .addXForwardedRequestWrapperFactory(null); >> > > >> > >> > And the HttpsMapper: >> > >> > setRootRequestMapper(new HttpsMapper(getRootRequestMapper(), new >> > > HttpsConfig()) >> > > >> > >> > >> > And the following init-param into web.xml >> > >> > >> > > protocolHeader >> > > X-Forwarded-Proto >> > > >> > > >> > >> > >> > When I debug I can see that the header is working inside a >> > RequestCycleListener >> > >> > HttpServletRequest req = (HttpServletRequest) >> > > cycle.getRequest().getContainerRequest(); >> > > System.out.println("-->" + req.getScheme() + " ==" + >> > > req.getHeader("X-Forwarded-Proto"); >> > > >> > >> > >> > The problem occurs when some versioned page is created and wicket >> redirect >> > it to the same URL but with the HTTP:// instead, for example: >> > >> > *https://*www.wicket.com/statefullPage >> > -> Response header: 302 (Location: *http://*www.wicket.com/ >> > statefullPage*?1* >> > ) >> > >> > If I change it back to HTTPS it works: >> > >> > *https://*www.wicket.com/statefullPage >> > *?1* >> > *-> *Response 200 OK >> > >> > I believe that in some redirection logic the original schema is being >> lost >> > somehow, during page versioning. >> > This problem only occurs when using the "X-Forwarded-Proto" header >> > >> > Using Wicket 7.6.0 >> > Any suggestions? >> > >> > Thanks! >> > >> > > > > -- > > Marcel Barbosa Pinto > 55 11 98255 8288 > -- Marcel Barbosa Pinto 55 11 98255 8288
Re: WebSockets and CsrfPreventionRequestCycleListener
I just have checked CsrfPreventionRequestCycleListener with overriden isChecked and it produces no errors I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :) On Tue, May 16, 2017 at 5:50 AM, Martin Grigorovwrote: > Hi Maxim, > > You can use > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() { > @Override > protected boolean isChecked(IRequestHandler handler) > { > if (handler instanceof WebSocketRequestHandler || handler instanceof > WebSocketMessageBroadcastHandler) { > return false; > } > return super.isChecked(handler); > } > }); > > > The upgrade request has a proper Origin header: > > >1. Accept-Encoding: >gzip, deflate, sdch, br >2. Accept-Language: >en-US,en;q=0.8,bg;q=0.6 >3. Cache-Control: >no-cache >4. Connection: >Upgrade >5. Cookie: > >6. DNT: >1 >7. Host: >localhost:8080 >8. Origin: >http://localhost:8080 >9. Pragma: >no-cache >10. Sec-WebSocket-Extensions: >permessage-deflate; client_max_window_bits >11. Sec-WebSocket-Key: >FcSNIsIh3HO95UGmMUA27g== >12. Sec-WebSocket-Version: >13 >13. Upgrade: >websocket >14. User-Agent: >Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) >Chrome/57.0.2987.110 Safari/537.36 >15. > > But the following communication is via the WebSocket connection and the > packets there do not bring request headers. > Wicket Native WebSocket module creates WebSocketRequest for each WS message > and those do no have request headers, so they can be safely ignored. > Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in > wicket-native-websocket-core and recommend its usage when the app uses > WebSockets ?! > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik > wrote: > >> Example project demonstrating it is here: >> https://github.com/solomax/ajax-download >> >> >> html with WebSocket.send: >> https://github.com/solomax/ajax-download/commit/ >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff- >> 217ea4d3217197ce4ece382e050a7302R26 >> >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik >> wrote: >> > Thanks a lot for checking Martin, >> > >> > The issue seems to be caused by following code in *.html (reproducible >> > using quickstart) >> > >> > >> > $(function() { >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, >> function() { >> > Wicket.WebSocket.send("socketConnected"); >> > }); >> > }); >> > >> > >> > I guess I need to manually set missing headers in such call >> > >> > Can you please help to set necessary headers? >> > >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov >> wrote: >> >> Hi Maxim, >> >> >> >> Just adding getRequestCycleListeners().add(new >> >> CsrfPreventionRequestCycleListener()); >> >> to org.apache.wicket.examples.websocket.JSR356Application#init() >> doesn't >> >> lead to any error. >> >> >> >> Martin Grigorov >> >> Wicket Training and Consulting >> >> https://twitter.com/mtgrigorov >> >> >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik > > >> >> wrote: >> >> >> >>> Hello Martin, >> >>> >> >>> were you able to take a look at it? >> >>> I was hoping to have M6 with working Csrf+WebSockets >> >>> >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik < >> solomax...@gmail.com> >> >>> wrote: >> >>> > Thanks a million, Martin :) >> >>> > >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov < >> mgrigo...@apache.org> >> >>> wrote: >> >>> >> Hi Maxim, >> >>> >> >> >>> >> I don't use this combination. >> >>> >> But I will try to test it soon and see what can be done. >> >>> >> >> >>> >> Martin Grigorov >> >>> >> Wicket Training and Consulting >> >>> >> https://twitter.com/mtgrigorov >> >>> >> >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < >> >>> solomax...@gmail.com> >> >>> >> wrote: >> >>> >> >> >>> >>> Does anybody uses this filter? >> >>> >>> >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < >> >>> solomax...@gmail.com> >> >>> >>> wrote: >> >>> >>> > Hello All, >> >>> >>> > >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our >> >>> >>> application >> >>> >>> > everything seems to work except for Websockets :( >> >>> >>> > >> >>> >>> > Now I'm getting >> >>> >>> > >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] >> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener >> - >> >>> >>> > Possible CSRF attack, request URL: >> >>> >>> > /openmeetings/wicket/websocket?pageId=1 >> >>> >>> ajax-baseurl==OpenmeetingsApplication, >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not >> >>> >>> > correspond to request >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] >> >>> >>> >
Re: WebSockets and CsrfPreventionRequestCycleListener
Hi Maxim, You can use getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() { @Override protected boolean isChecked(IRequestHandler handler) { if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) { return false; } return super.isChecked(handler); } }); The upgrade request has a proper Origin header: 1. Accept-Encoding: gzip, deflate, sdch, br 2. Accept-Language: en-US,en;q=0.8,bg;q=0.6 3. Cache-Control: no-cache 4. Connection: Upgrade 5. Cookie: 6. DNT: 1 7. Host: localhost:8080 8. Origin: http://localhost:8080 9. Pragma: no-cache 10. Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits 11. Sec-WebSocket-Key: FcSNIsIh3HO95UGmMUA27g== 12. Sec-WebSocket-Version: 13 13. Upgrade: websocket 14. User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 15. But the following communication is via the WebSocket connection and the packets there do not bring request headers. Wicket Native WebSocket module creates WebSocketRequest for each WS message and those do no have request headers, so they can be safely ignored. Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in wicket-native-websocket-core and recommend its usage when the app uses WebSockets ?! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnikwrote: > Example project demonstrating it is here: > https://github.com/solomax/ajax-download > > > html with WebSocket.send: > https://github.com/solomax/ajax-download/commit/ > 84af661b1e5e110419f17dbf9295547c135a0cc5#diff- > 217ea4d3217197ce4ece382e050a7302R26 > > On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik > wrote: > > Thanks a lot for checking Martin, > > > > The issue seems to be caused by following code in *.html (reproducible > > using quickstart) > > > > > > $(function() { > > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, > function() { > > Wicket.WebSocket.send("socketConnected"); > > }); > > }); > > > > > > I guess I need to manually set missing headers in such call > > > > Can you please help to set necessary headers? > > > > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov > wrote: > >> Hi Maxim, > >> > >> Just adding getRequestCycleListeners().add(new > >> CsrfPreventionRequestCycleListener()); > >> to org.apache.wicket.examples.websocket.JSR356Application#init() > doesn't > >> lead to any error. > >> > >> Martin Grigorov > >> Wicket Training and Consulting > >> https://twitter.com/mtgrigorov > >> > >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik > > >> wrote: > >> > >>> Hello Martin, > >>> > >>> were you able to take a look at it? > >>> I was hoping to have M6 with working Csrf+WebSockets > >>> > >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik < > solomax...@gmail.com> > >>> wrote: > >>> > Thanks a million, Martin :) > >>> > > >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov < > mgrigo...@apache.org> > >>> wrote: > >>> >> Hi Maxim, > >>> >> > >>> >> I don't use this combination. > >>> >> But I will try to test it soon and see what can be done. > >>> >> > >>> >> Martin Grigorov > >>> >> Wicket Training and Consulting > >>> >> https://twitter.com/mtgrigorov > >>> >> > >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < > >>> solomax...@gmail.com> > >>> >> wrote: > >>> >> > >>> >>> Does anybody uses this filter? > >>> >>> > >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < > >>> solomax...@gmail.com> > >>> >>> wrote: > >>> >>> > Hello All, > >>> >>> > > >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our > >>> >>> application > >>> >>> > everything seems to work except for Websockets :( > >>> >>> > > >>> >>> > Now I'm getting > >>> >>> > > >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] > >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener > - > >>> >>> > Possible CSRF attack, request URL: > >>> >>> > /openmeetings/wicket/websocket?pageId=1 > >>> >>> ajax-baseurl==OpenmeetingsApplication, > >>> >>> > Origin: null, action: aborted with error 400 Origin does not > >>> >>> > correspond to request > >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] > >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP > error > >>> >>> > response in WebSocket communication would not be processed by the > >>> >>> > browser! If you need to send the error code and message to the > client > >>> >>> > then configure custom WebSocketResponse via > >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and > override > >>> >>> > #sendError() method to write them in an appropriate format for > your > >>> >>> > application. The ignored error code is '400'
Re: inside inline frame
Thanks for the answer. Always nice to learn something new, but sadly this won't solve my problem. I will need both of the stylesheet files. Application developers shall bring their own css for their app and should not have to care about the design of the menu wrapped around. I'm looking for a way to seperate them so they don't get in each others way. Something like scoped css. But i think there won't be a wicket-way to solve this. It's more a css issue. > Am 14.05.2017 um 21:04 schrieb Martin Grigorov: > > Hi, > > Maybe a simpler solution would be to use custom IHeaderResponseDecorator > that skips all CssHeaderItems contributed by the base module. > If you can differentiate your application CssHeaderItems from the one from > the base module, e.g. by package name, then I think this will work. > See org.apache.wicket.markup.head.filter.FilteringHeaderResponse for > inspiration. > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > >> On Fri, May 12, 2017 at 10:36 PM, Claudia Hirt wrote: >> >> Hi all, >> >> is it possible to wrap a child page's markup inside an iframe? >> >> The reason I want to do this: >> My BasePage containing a header- and menu-panel is located in an artifact >> used by several applications. These applications contain their own >> stylesheets and I want to avoid side effects like css of application >> affecting my header-panel. >> >> I think the only way to solve this would be to have the whole application >> page inside an iframe, because using CSS namespaces via IDs would be a >> hudge effort and be to risky. >> >> Thanks in advance! >> >> Best regards, >> Claudia Hirt >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Balancer + HTTPS
Hi Martin, I've found something that could be related, at this line below, a new Url instance is created without being configured with the protocol. Is this URL relative or absolute? https://github.com/apache/wicket/blob/9e42a9548adb0da540e4e87d491f5824e778537e/wicket-core/src/main/java/org/apache/wicket/core/request/mapper/PageInstanceMapper.java#L129 I'll will try to debug the code later. Thanks. On Mon, May 15, 2017 at 3:56 AM, Martin Grigorovwrote: > Hi, > > Put a breakpoint at org.apache.wicket.request.Url#getProtocol() and see > what it returns. > I guess the redirect is an absolute url and that's why it breaks. > See org.apache.wicket.protocol.http.servlet.ServletWebResponse# > sendRedirect > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, May 15, 2017 at 5:01 AM, Marcel Barbosa Pinto < > marcel.po...@gmail.com> wrote: > > > Hi, > > > > I am using a balancer which sends the X-Forwarded-Proto header to my > Wicket > > application. > > > > I`ve added the following filters: > > > > getFilterFactoryManager() > > > .addSecuredRemoteAddressRequestWrapperFactory(null) > > > .addXForwardedRequestWrapperFactory(null); > > > > > > > And the HttpsMapper: > > > > setRootRequestMapper(new HttpsMapper(getRootRequestMapper(), new > > > HttpsConfig()) > > > > > > > > > And the following init-param into web.xml > > > > > > > protocolHeader > > > X-Forwarded-Proto > > > > > > > > > > > > When I debug I can see that the header is working inside a > > RequestCycleListener > > > > HttpServletRequest req = (HttpServletRequest) > > > cycle.getRequest().getContainerRequest(); > > > System.out.println("-->" + req.getScheme() + " ==" + > > > req.getHeader("X-Forwarded-Proto"); > > > > > > > > > The problem occurs when some versioned page is created and wicket > redirect > > it to the same URL but with the HTTP:// instead, for example: > > > > *https://*www.wicket.com/statefullPage > > -> Response header: 302 (Location: *http://*www.wicket.com/ > > statefullPage*?1* > > ) > > > > If I change it back to HTTPS it works: > > > > *https://*www.wicket.com/statefullPage > > *?1* > > *-> *Response 200 OK > > > > I believe that in some redirection logic the original schema is being > lost > > somehow, during page versioning. > > This problem only occurs when using the "X-Forwarded-Proto" header > > > > Using Wicket 7.6.0 > > Any suggestions? > > > > Thanks! > > > -- Marcel Barbosa Pinto 55 11 98255 8288
Re: WebSockets and CsrfPreventionRequestCycleListener
Example project demonstrating it is here: https://github.com/solomax/ajax-download html with WebSocket.send: https://github.com/solomax/ajax-download/commit/84af661b1e5e110419f17dbf9295547c135a0cc5#diff-217ea4d3217197ce4ece382e050a7302R26 On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnikwrote: > Thanks a lot for checking Martin, > > The issue seems to be caused by following code in *.html (reproducible > using quickstart) > > > $(function() { > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, function() { > Wicket.WebSocket.send("socketConnected"); > }); > }); > > > I guess I need to manually set missing headers in such call > > Can you please help to set necessary headers? > > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov wrote: >> Hi Maxim, >> >> Just adding getRequestCycleListeners().add(new >> CsrfPreventionRequestCycleListener()); >> to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't >> lead to any error. >> >> Martin Grigorov >> Wicket Training and Consulting >> https://twitter.com/mtgrigorov >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik >> wrote: >> >>> Hello Martin, >>> >>> were you able to take a look at it? >>> I was hoping to have M6 with working Csrf+WebSockets >>> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik >>> wrote: >>> > Thanks a million, Martin :) >>> > >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov >>> wrote: >>> >> Hi Maxim, >>> >> >>> >> I don't use this combination. >>> >> But I will try to test it soon and see what can be done. >>> >> >>> >> Martin Grigorov >>> >> Wicket Training and Consulting >>> >> https://twitter.com/mtgrigorov >>> >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < >>> solomax...@gmail.com> >>> >> wrote: >>> >> >>> >>> Does anybody uses this filter? >>> >>> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < >>> solomax...@gmail.com> >>> >>> wrote: >>> >>> > Hello All, >>> >>> > >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our >>> >>> application >>> >>> > everything seems to work except for Websockets :( >>> >>> > >>> >>> > Now I'm getting >>> >>> > >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - >>> >>> > Possible CSRF attack, request URL: >>> >>> > /openmeetings/wicket/websocket?pageId=1 >>> >>> ajax-baseurl==OpenmeetingsApplication, >>> >>> > Origin: null, action: aborted with error 400 Origin does not >>> >>> > correspond to request >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error >>> >>> > response in WebSocket communication would not be processed by the >>> >>> > browser! If you need to send the error code and message to the client >>> >>> > then configure custom WebSocketResponse via >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and override >>> >>> > #sendError() method to write them in an appropriate format for your >>> >>> > application. The ignored error code is '400' and the message: 'Origin >>> >>> > does not correspond to request'. >>> >>> > >>> >>> > in the logs ... >>> >>> > What should I do to set Origin for Websockets? >>> >>> > >>> >>> > -- >>> >>> > WBR >>> >>> > Maxim aka solomax >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> WBR >>> >>> Maxim aka solomax >>> >>> >>> >>> - >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >>> >>> >>> > >>> > >>> > >>> > -- >>> > WBR >>> > Maxim aka solomax >>> >>> >>> >>> -- >>> WBR >>> Maxim aka solomax >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> > > > > -- > WBR > Maxim aka solomax -- WBR Maxim aka solomax - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Thanks a lot for checking Martin, The issue seems to be caused by following code in *.html (reproducible using quickstart) $(function() { Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, function() { Wicket.WebSocket.send("socketConnected"); }); }); I guess I need to manually set missing headers in such call Can you please help to set necessary headers? On Mon, May 15, 2017 at 1:50 PM, Martin Grigorovwrote: > Hi Maxim, > > Just adding getRequestCycleListeners().add(new > CsrfPreventionRequestCycleListener()); > to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't > lead to any error. > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik > wrote: > >> Hello Martin, >> >> were you able to take a look at it? >> I was hoping to have M6 with working Csrf+WebSockets >> >> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik >> wrote: >> > Thanks a million, Martin :) >> > >> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov >> wrote: >> >> Hi Maxim, >> >> >> >> I don't use this combination. >> >> But I will try to test it soon and see what can be done. >> >> >> >> Martin Grigorov >> >> Wicket Training and Consulting >> >> https://twitter.com/mtgrigorov >> >> >> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < >> solomax...@gmail.com> >> >> wrote: >> >> >> >>> Does anybody uses this filter? >> >>> >> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < >> solomax...@gmail.com> >> >>> wrote: >> >>> > Hello All, >> >>> > >> >>> > just have tried to add CsrfPreventionRequestCycleListener to our >> >>> application >> >>> > everything seems to work except for Websockets :( >> >>> > >> >>> > Now I'm getting >> >>> > >> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] >> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - >> >>> > Possible CSRF attack, request URL: >> >>> > /openmeetings/wicket/websocket?pageId=1 >> >>> ajax-baseurl==OpenmeetingsApplication, >> >>> > Origin: null, action: aborted with error 400 Origin does not >> >>> > correspond to request >> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] >> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error >> >>> > response in WebSocket communication would not be processed by the >> >>> > browser! If you need to send the error code and message to the client >> >>> > then configure custom WebSocketResponse via >> >>> > WebSocketSettings#newWebSocketResponse() factory method and override >> >>> > #sendError() method to write them in an appropriate format for your >> >>> > application. The ignored error code is '400' and the message: 'Origin >> >>> > does not correspond to request'. >> >>> > >> >>> > in the logs ... >> >>> > What should I do to set Origin for Websockets? >> >>> > >> >>> > -- >> >>> > WBR >> >>> > Maxim aka solomax >> >>> >> >>> >> >>> >> >>> -- >> >>> WBR >> >>> Maxim aka solomax >> >>> >> >>> - >> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> >>> For additional commands, e-mail: users-h...@wicket.apache.org >> >>> >> >>> >> > >> > >> > >> > -- >> > WBR >> > Maxim aka solomax >> >> >> >> -- >> WBR >> Maxim aka solomax >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> -- WBR Maxim aka solomax - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Balancer + HTTPS
Hi, Put a breakpoint at org.apache.wicket.request.Url#getProtocol() and see what it returns. I guess the redirect is an absolute url and that's why it breaks. See org.apache.wicket.protocol.http.servlet.ServletWebResponse#sendRedirect Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, May 15, 2017 at 5:01 AM, Marcel Barbosa Pinto < marcel.po...@gmail.com> wrote: > Hi, > > I am using a balancer which sends the X-Forwarded-Proto header to my Wicket > application. > > I`ve added the following filters: > > getFilterFactoryManager() > > .addSecuredRemoteAddressRequestWrapperFactory(null) > > .addXForwardedRequestWrapperFactory(null); > > > > And the HttpsMapper: > > setRootRequestMapper(new HttpsMapper(getRootRequestMapper(), new > > HttpsConfig()) > > > > > And the following init-param into web.xml > > > > protocolHeader > > X-Forwarded-Proto > > > > > > > When I debug I can see that the header is working inside a > RequestCycleListener > > HttpServletRequest req = (HttpServletRequest) > > cycle.getRequest().getContainerRequest(); > > System.out.println("-->" + req.getScheme() + " ==" + > > req.getHeader("X-Forwarded-Proto"); > > > > > The problem occurs when some versioned page is created and wicket redirect > it to the same URL but with the HTTP:// instead, for example: > > *https://*www.wicket.com/statefullPage > -> Response header: 302 (Location: *http://*www.wicket.com/ > statefullPage*?1* > ) > > If I change it back to HTTPS it works: > > *https://*www.wicket.com/statefullPage > *?1* > *-> *Response 200 OK > > I believe that in some redirection logic the original schema is being lost > somehow, during page versioning. > This problem only occurs when using the "X-Forwarded-Proto" header > > Using Wicket 7.6.0 > Any suggestions? > > Thanks! >
Re: WebSockets and CsrfPreventionRequestCycleListener
Hi Maxim, Just adding getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't lead to any error. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnikwrote: > Hello Martin, > > were you able to take a look at it? > I was hoping to have M6 with working Csrf+WebSockets > > On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik > wrote: > > Thanks a million, Martin :) > > > > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov > wrote: > >> Hi Maxim, > >> > >> I don't use this combination. > >> But I will try to test it soon and see what can be done. > >> > >> Martin Grigorov > >> Wicket Training and Consulting > >> https://twitter.com/mtgrigorov > >> > >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < > solomax...@gmail.com> > >> wrote: > >> > >>> Does anybody uses this filter? > >>> > >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < > solomax...@gmail.com> > >>> wrote: > >>> > Hello All, > >>> > > >>> > just have tried to add CsrfPreventionRequestCycleListener to our > >>> application > >>> > everything seems to work except for Websockets :( > >>> > > >>> > Now I'm getting > >>> > > >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] > >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - > >>> > Possible CSRF attack, request URL: > >>> > /openmeetings/wicket/websocket?pageId=1 > >>> ajax-baseurl==OpenmeetingsApplication, > >>> > Origin: null, action: aborted with error 400 Origin does not > >>> > correspond to request > >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] > >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error > >>> > response in WebSocket communication would not be processed by the > >>> > browser! If you need to send the error code and message to the client > >>> > then configure custom WebSocketResponse via > >>> > WebSocketSettings#newWebSocketResponse() factory method and override > >>> > #sendError() method to write them in an appropriate format for your > >>> > application. The ignored error code is '400' and the message: 'Origin > >>> > does not correspond to request'. > >>> > > >>> > in the logs ... > >>> > What should I do to set Origin for Websockets? > >>> > > >>> > -- > >>> > WBR > >>> > Maxim aka solomax > >>> > >>> > >>> > >>> -- > >>> WBR > >>> Maxim aka solomax > >>> > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>> For additional commands, e-mail: users-h...@wicket.apache.org > >>> > >>> > > > > > > > > -- > > WBR > > Maxim aka solomax > > > > -- > WBR > Maxim aka solomax > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >