Thanks Martin,
so I've used this:
setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
KeyInSessionSunJceCryptFactory()));
public class PostUrlCryptMapper extends CryptoMapper {
/**
* @param wrappedMapper
* @param cryptFactory
*/
private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
public PostUrlCryptMapper(IRequestMapper wrappedMapper,
final KeyInSessionSunJceCryptFactory
cryptFactory) {
super(wrappedMapper, new IProvider<ICrypt>() {
@Override
public ICrypt get() {
return cryptFactory.newCrypt();
}
});
}
public Url mapHandler(final IRequestHandler requestHandler)
{
if (isFormListenerInterfaceRequestHandler(requestHandler)) {
return super.mapHandler(requestHandler);
} else {
return getDelegateMapper().mapHandler(requestHandler);
}
}
public IRequestHandler mapRequest(final Request request)
{
final IRequestHandler requestHandler =
getDelegateMapper().mapRequest(request);
if (requestHandler == null) {
return super.mapRequest(request);
}
return requestHandler;
}
/**
* Returns true, whether the attached component to
ListenerInterfaceRequestHandler is in form container.
* @param requestHandler
* @return
*/
private boolean isFormListenerInterfaceRequestHandler(final
IRequestHandler requestHandler) {
if (requestHandler instanceof ListenerInterfaceRequestHandler) {
ListenerInterfaceRequestHandler listenerInterfaceRequestHandler
= (ListenerInterfaceRequestHandler) requestHandler;
IRequestableComponent c = listenerInterfaceRequestHandler
.getComponent();
if (c instanceof Form) {
log.info("Form found!");
return true;
}
}
// else if (requestHandler instanceof
BookmarkableListenerInterfaceRequestHandler) {
// BookmarkableListenerInterfaceRequestHandler handler =
(BookmarkableListenerInterfaceRequestHandler) requestHandler;
// IRequestableComponent c = handler.getComponent();
// if (c instanceof Form) {
// log.info("Form found!");
// return true;
// }
// }
return false;
}
}
However what I am finding is that any form on a stateless/bookmarkable page
are not being encrypted. I tried to work around this with the section of
code thats commented out (BookmarkableListenerInterfaceRequestHandler) .
This then encrypts the form action fine, but then I get 2 bits of odd
behaviour:
- On pages that are bookmarkable, if there is a constructor that has
PageParameters, the page is just recreated and the submit is ignored (when
pressing submit).If I remove the PageParameter constructor then it works
fine.
- On stateless pages , again when submitting the form it just recreates the
page
public class SomeLoginPage extends WebPage {
public SomeLoginPage() {
setStatelessHint(true);
add(new FeedbackPanel("feedback"));
add(new SignInForm("signInForm").setOutputMarkupId(false));
}
public final class SignInForm extends StatelessForm<ValueMap> {
public SignInForm(final String id) {
super(id, new CompoundPropertyModel<ValueMap>(new ValueMap()));
add(new TextField<String>("username").setOutputMarkupId(false));
add(new PasswordTextField("password").setOutputMarkupId(false));
}
/**
*
* @see org.apache.wicket.markup.html.form.Form#onSubmit()
*/
public void onSubmit() {
ValueMap values = getModelObject();
String username = values.getString("username");
String password = values.getString("password");
if (signIn(username, password)) {
((HubSession) Session.get()).setAdminAthenticated(true);
ContextUtil.get().setUser(null);
setResponsePage(CompanyAdminPage.class);
} else {
// Try the component based localizer first. If not found try the
// application localizer. Else use the default
error(getLocalizer().getString("exception.login", this, "Illegal username
password combo"));
}
}
private boolean signIn(String username, String password) {
// TODO authentication
return false;
}
}
}
Any ideas?
On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org>
wrote:
> org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandle
> r#getComponent()
> instanceOf Form
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com>
> wrote:
>
> > Thanks Martin,
> >
> > how can I tell for example if the IPageClassRequestHandler or
> > ListenerInterfaceRequestHandler is for a form?
> >
> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org>
> > wrote:
> >
> > > Hi,
> > >
> > > I don't use any of these so I have no much experience in production
> with
> > > them!
> > >
> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > I've been trying to use CsrfPreventionRequestCycleListener in
> > > production.
> > > > However we are seeing in the logs that about 30 times a day we get
> the
> > > > request aborted because the clients browsers are not sending the
> > referrer
> > > > header sometimes. Doing some research it seems we cannot rely on the
> > > > clients browser to send the referrer and it could be somewhat buggy
> in
> > > > older browsers.
> > > >
> > > > Does anyone else experience this trouble?
> > > >
> > > > Are there any alternatives?
> > > >
> > > > I did try:
> > > >
> > > > getSecuritySettings().setCryptFactory(new
> > KeyInSessionSunJceCryptFactory
> > > > ());
> > > >
> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound
> > (),
> > > > this));
> > > >
> > > > However this encrypts everything (resources, urls, etc). Is there a
> way
> > > of
> > > > just encrypting say forms and links or something?
> > > >
> > >
> > > You can override CryptoMapper#mapHandler() and call super.mapHandler()
> > only
> > > when the IRequestHandler is not an instance of IPageClassRequestHandler
> > or
> > > only when it is ListenerInterfaceRequestHandler.
> > >
> > >
> > > >
> > > > Anyone got a solution that works for them in production?
> > > >
> > > > many thanks
> > > >
> > >
> >
>
