Thanks Martin, so I've used this:
setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new KeyInSessionSunJceCryptFactory())); public class PostUrlCryptMapper extends CryptoMapper { /** * @param wrappedMapper * @param cryptFactory */ private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); public PostUrlCryptMapper(IRequestMapper wrappedMapper, final KeyInSessionSunJceCryptFactory cryptFactory) { super(wrappedMapper, new IProvider<ICrypt>() { @Override public ICrypt get() { return cryptFactory.newCrypt(); } }); } public Url mapHandler(final IRequestHandler requestHandler) { if (isFormListenerInterfaceRequestHandler(requestHandler)) { return super.mapHandler(requestHandler); } else { return getDelegateMapper().mapHandler(requestHandler); } } public IRequestHandler mapRequest(final Request request) { final IRequestHandler requestHandler = getDelegateMapper().mapRequest(request); if (requestHandler == null) { return super.mapRequest(request); } return requestHandler; } /** * Returns true, whether the attached component to ListenerInterfaceRequestHandler is in form container. * @param requestHandler * @return */ private boolean isFormListenerInterfaceRequestHandler(final IRequestHandler requestHandler) { if (requestHandler instanceof ListenerInterfaceRequestHandler) { ListenerInterfaceRequestHandler listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) requestHandler; IRequestableComponent c = listenerInterfaceRequestHandler .getComponent(); if (c instanceof Form) { log.info("Form found!"); return true; } } // else if (requestHandler instanceof BookmarkableListenerInterfaceRequestHandler) { // BookmarkableListenerInterfaceRequestHandler handler = (BookmarkableListenerInterfaceRequestHandler) requestHandler; // IRequestableComponent c = handler.getComponent(); // if (c instanceof Form) { // log.info("Form found!"); // return true; // } // } return false; } } However what I am finding is that any form on a stateless/bookmarkable page are not being encrypted. I tried to work around this with the section of code thats commented out (BookmarkableListenerInterfaceRequestHandler) . This then encrypts the form action fine, but then I get 2 bits of odd behaviour: - On pages that are bookmarkable, if there is a constructor that has PageParameters, the page is just recreated and the submit is ignored (when pressing submit).If I remove the PageParameter constructor then it works fine. - On stateless pages , again when submitting the form it just recreates the page public class SomeLoginPage extends WebPage { public SomeLoginPage() { setStatelessHint(true); add(new FeedbackPanel("feedback")); add(new SignInForm("signInForm").setOutputMarkupId(false)); } public final class SignInForm extends StatelessForm<ValueMap> { public SignInForm(final String id) { super(id, new CompoundPropertyModel<ValueMap>(new ValueMap())); add(new TextField<String>("username").setOutputMarkupId(false)); add(new PasswordTextField("password").setOutputMarkupId(false)); } /** * * @see org.apache.wicket.markup.html.form.Form#onSubmit() */ public void onSubmit() { ValueMap values = getModelObject(); String username = values.getString("username"); String password = values.getString("password"); if (signIn(username, password)) { ((HubSession) Session.get()).setAdminAthenticated(true); ContextUtil.get().setUser(null); setResponsePage(CompanyAdminPage.class); } else { // Try the component based localizer first. If not found try the // application localizer. Else use the default error(getLocalizer().getString("exception.login", this, "Illegal username password combo")); } } private boolean signIn(String username, String password) { // TODO authentication return false; } } } Any ideas? On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org> wrote: > org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandle > r#getComponent() > instanceOf Form > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com> > wrote: > > > Thanks Martin, > > > > how can I tell for example if the IPageClassRequestHandler or > > ListenerInterfaceRequestHandler is for a form? > > > > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org> > > wrote: > > > > > Hi, > > > > > > I don't use any of these so I have no much experience in production > with > > > them! > > > > > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com> > > > wrote: > > > > > > > Hi, > > > > > > > > I've been trying to use CsrfPreventionRequestCycleListener in > > > production. > > > > However we are seeing in the logs that about 30 times a day we get > the > > > > request aborted because the clients browsers are not sending the > > referrer > > > > header sometimes. Doing some research it seems we cannot rely on the > > > > clients browser to send the referrer and it could be somewhat buggy > in > > > > older browsers. > > > > > > > > Does anyone else experience this trouble? > > > > > > > > Are there any alternatives? > > > > > > > > I did try: > > > > > > > > getSecuritySettings().setCryptFactory(new > > KeyInSessionSunJceCryptFactory > > > > ()); > > > > > > > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound > > (), > > > > this)); > > > > > > > > However this encrypts everything (resources, urls, etc). Is there a > way > > > of > > > > just encrypting say forms and links or something? > > > > > > > > > > You can override CryptoMapper#mapHandler() and call super.mapHandler() > > only > > > when the IRequestHandler is not an instance of IPageClassRequestHandler > > or > > > only when it is ListenerInterfaceRequestHandler. > > > > > > > > > > > > > > Anyone got a solution that works for them in production? > > > > > > > > many thanks > > > > > > > > > >