wicket:for does not work if used after the referenced component

2015-04-09 Thread Andreas Kappler
Hi, in Wicket 6.18 this code works as expected (for attribute of label is set to id of input and id of input is written to HTML): label wicket:for=cbLabel/label input type=checkbox wicket:id=cb/ However if reversed, the id of the input is not written to the HTML and therefore the label

CSRF protection by randomizing the page ID

2013-11-25 Thread Andreas Kappler
Hi, I am working on securing a Wicket application against CSRF attacks, which are possible because Wicket URLs can be easily guessed by an attacker and requests contain no challenge token. I did my research and found https://issues.apache.org/jira/browse/WICKET-1782 and

CSRF protection and mounting pages

2013-09-18 Thread Andreas Kappler
Hi! I am currently looking into making our Wicket applications CSRF safe. From my understanding the CryptoMapper is the way to go, and I was able to set it up working successfully. There are however several mounted pages in the applications (with WebApplication.mountPage), where the URLs

Re: CSRF protection and mounting pages

2013-09-18 Thread Andreas Kappler
mapHandler(final IRequestHandler requestHandler). If the passed requestHandler is IPageClassRequestHandler then you can call #getPageClass() on it and decide whether to encrypt the Url or not. For all other IRequestHandlers - always encrypt. On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler

Re: CSRF protection and mounting pages

2013-09-18 Thread Andreas Kappler
instead of mounting pages, it seems to me to be the safest way. Am 18.09.2013 14:08, schrieb Martin Grigorov: Check https://issues.apache.org/jira/browse/WICKET-5326 It talks about similar things On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler andreas.kapp...@jato-consulting.de wrote: Hi

Re: CSRF protection and mounting pages

2013-09-18 Thread Andreas Kappler
/09/2013 14:48, Andreas Kappler wrote: Thanks for pointing out that ticket. So as I see it, there is currently no easy way to secure pages from CSRF attacks if they are mounted. To be honest I find it a bit surprising that no one contributed a solution for this common problem. I will probably go

Re: UrlResourceReference escapes too much?

2012-12-04 Thread Andreas Kappler
I created an issue for this: WICKET-4907 https://issues.apache.org/jira/browse/WICKET-4907 Best Regards, Andreas Am 03.12.2012 16:21, schrieb Martin Grigorov: I'm not sure. I have to debug it to be able to say what happens. On Mon, Dec 3, 2012 at 4:16 PM, Andreas Kappler andreas.kapp

UrlResourceReference escapes too much?

2012-12-03 Thread Andreas Kappler
Hi, I am trying to render a reference to a Javascript library which is stored somewhere in my webapp directory using UrlResourceReference: public void renderHead(IHeaderResponse response) { super.renderHead(response); response.render(JavaScriptHeaderItem.forReference(new

Re: UrlResourceReference escapes too much?

2012-12-03 Thread Andreas Kappler
:10, schrieb Martin Grigorov: Hi, Try with org.apache.wicket.markup.head.JavaScriptHeaderItem#forUrl() This method cares about context relative urls. On Mon, Dec 3, 2012 at 4:06 PM, Andreas Kappler andreas.kapp...@jato-consulting.de wrote: Hi, I am trying to render a reference to a Javascript