Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Hello Wayne, Here is the current code: [1] Seems to work as expected [1] https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java#L245 On Tue, Sep 19, 2017 at 9:51 PM, Wayne Wwrote: > Hi Maxim, what are you using? CsrfPreventionRequestCycleListener? > > On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnik > wrote: > >> It works for us, but we are not using *CryptMapper's ... >> >> On Tue, Sep 19, 2017 at 7:49 PM, Wayne W >> wrote: >> > Hi, >> > >> > does anyone else have an ideas whats I could do here. Is there anyone out >> > there who's successfully got the CSRF protection up and running in >> > production? >> > >> > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W >> > wrote: >> > >> >> Thanks Martin, >> >> >> >> so I've used this: >> >> >> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new >> >> KeyInSessionSunJceCryptFactory())); >> >> >> >> >> >> public class PostUrlCryptMapper extends CryptoMapper { >> >> >> >> /** >> >> >> >> * @param wrappedMapper >> >> >> >> * @param cryptFactory >> >> >> >> */ >> >> >> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); >> >> >> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper, >> >> >> >> final KeyInSessionSunJceCryptFactory >> >> cryptFactory) { >> >> >> >> super(wrappedMapper, new IProvider() { >> >> >> >> @Override >> >> >> >> public ICrypt get() { >> >> >> >> return cryptFactory.newCrypt(); >> >> >> >> } >> >> >> >> }); >> >> >> >> } >> >> >> >> >> >> public Url mapHandler(final IRequestHandler requestHandler) >> >> >> >> { >> >> >> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) { >> >> >> >> return super.mapHandler(requestHandler); >> >> >> >> } else { >> >> >> >> return getDelegateMapper().mapHandler(requestHandler); >> >> >> >> } >> >> >> >> } >> >> >> >> >> >> public IRequestHandler mapRequest(final Request request) >> >> >> >> { >> >> >> >> final IRequestHandler requestHandler = getDelegateMapper(). >> >> mapRequest(request); >> >> >> >> if (requestHandler == null) { >> >> >> >> return super.mapRequest(request); >> >> >> >> } >> >> >> >> return requestHandler; >> >> >> >> } >> >> >> >> >> >> /** >> >> >> >> * Returns true, whether the attached component to >> >> ListenerInterfaceRequestHandler is in form container. >> >> >> >> * @param requestHandler >> >> >> >> * @return >> >> >> >> */ >> >> >> >> private boolean isFormListenerInterfaceRequestHandler(final >> >> IRequestHandler requestHandler) { >> >> >> >> if (requestHandler instanceof ListenerInterfaceRequestHandler) >> { >> >> >> >> ListenerInterfaceRequestHandler >> >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) >> >> requestHandler; >> >> >> >> IRequestableComponent c = listenerInterfaceRequestHandler >> >> .getComponent(); >> >> >> >> if (c instanceof Form) { >> >> >> >> log.info("Form found!"); >> >> >> >> return true; >> >> >> >> } >> >> >> >> } >> >> >> >> //else if (requestHandler instanceof >> >> BookmarkableListenerInterfaceRequestHandler) { >> >> >> >> //BookmarkableListenerInterfaceRequestHandler handler = ( >> >> BookmarkableListenerInterfaceRequestHandler) requestHandler; >> >> >> >> //IRequestableComponent c = handler.getComponent(); >> >> >> >> //if (c instanceof Form) { >> >> >> >> //log.info("Form found!"); >> >> >> >> //return true; >> >> >> >> //} >> >> >> >> //} >> >> >> >> >> >> >> >> >> >> >> >> >> >> return false; >> >> >> >> } >> >> >> >> } >> >> >> >> >> >> However what I am finding is that any form on a stateless/bookmarkable >> >> page are not being encrypted. I tried to work around this with the >> section >> >> of code thats commented out (BookmarkableListenerInterfaceR >> equestHandler) >> >> . This then encrypts the form action fine, but then I get 2 bits of odd >> >> behaviour: >> >> >> >> >> >> - On pages that are bookmarkable, if there is a constructor that has >> >> PageParameters, the page is just recreated and the submit is ignored >> (when >> >> pressing submit).If I remove the PageParameter constructor then it works >> >> fine. >> >> >> >> - On stateless pages , again when submitting the form it just recreates >> >> the page >> >> >> >> >> >> public class SomeLoginPage extends WebPage { >> >> >> >> >> >> public SomeLoginPage() { >> >> >> >> setStatelessHint(true); >> >> >> >> add(new FeedbackPanel("feedback")); >> >> >> >> add(new
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Hi Maxim, what are you using? CsrfPreventionRequestCycleListener? On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnikwrote: > It works for us, but we are not using *CryptMapper's ... > > On Tue, Sep 19, 2017 at 7:49 PM, Wayne W > wrote: > > Hi, > > > > does anyone else have an ideas whats I could do here. Is there anyone out > > there who's successfully got the CSRF protection up and running in > > production? > > > > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W > > wrote: > > > >> Thanks Martin, > >> > >> so I've used this: > >> > >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new > >> KeyInSessionSunJceCryptFactory())); > >> > >> > >> public class PostUrlCryptMapper extends CryptoMapper { > >> > >> /** > >> > >> * @param wrappedMapper > >> > >> * @param cryptFactory > >> > >> */ > >> > >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); > >> > >> public PostUrlCryptMapper(IRequestMapper wrappedMapper, > >> > >> final KeyInSessionSunJceCryptFactory > >> cryptFactory) { > >> > >> super(wrappedMapper, new IProvider() { > >> > >> @Override > >> > >> public ICrypt get() { > >> > >> return cryptFactory.newCrypt(); > >> > >> } > >> > >> }); > >> > >> } > >> > >> > >> public Url mapHandler(final IRequestHandler requestHandler) > >> > >> { > >> > >> if (isFormListenerInterfaceRequestHandler(requestHandler)) { > >> > >> return super.mapHandler(requestHandler); > >> > >> } else { > >> > >> return getDelegateMapper().mapHandler(requestHandler); > >> > >> } > >> > >> } > >> > >> > >> public IRequestHandler mapRequest(final Request request) > >> > >> { > >> > >> final IRequestHandler requestHandler = getDelegateMapper(). > >> mapRequest(request); > >> > >> if (requestHandler == null) { > >> > >> return super.mapRequest(request); > >> > >> } > >> > >> return requestHandler; > >> > >> } > >> > >> > >> /** > >> > >> * Returns true, whether the attached component to > >> ListenerInterfaceRequestHandler is in form container. > >> > >> * @param requestHandler > >> > >> * @return > >> > >> */ > >> > >> private boolean isFormListenerInterfaceRequestHandler(final > >> IRequestHandler requestHandler) { > >> > >> if (requestHandler instanceof ListenerInterfaceRequestHandler) > { > >> > >> ListenerInterfaceRequestHandler > >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) > >> requestHandler; > >> > >> IRequestableComponent c = listenerInterfaceRequestHandler > >> .getComponent(); > >> > >> if (c instanceof Form) { > >> > >> log.info("Form found!"); > >> > >> return true; > >> > >> } > >> > >> } > >> > >> //else if (requestHandler instanceof > >> BookmarkableListenerInterfaceRequestHandler) { > >> > >> //BookmarkableListenerInterfaceRequestHandler handler = ( > >> BookmarkableListenerInterfaceRequestHandler) requestHandler; > >> > >> //IRequestableComponent c = handler.getComponent(); > >> > >> //if (c instanceof Form) { > >> > >> //log.info("Form found!"); > >> > >> //return true; > >> > >> //} > >> > >> //} > >> > >> > >> > >> > >> > >> > >> return false; > >> > >> } > >> > >> } > >> > >> > >> However what I am finding is that any form on a stateless/bookmarkable > >> page are not being encrypted. I tried to work around this with the > section > >> of code thats commented out (BookmarkableListenerInterfaceR > equestHandler) > >> . This then encrypts the form action fine, but then I get 2 bits of odd > >> behaviour: > >> > >> > >> - On pages that are bookmarkable, if there is a constructor that has > >> PageParameters, the page is just recreated and the submit is ignored > (when > >> pressing submit).If I remove the PageParameter constructor then it works > >> fine. > >> > >> - On stateless pages , again when submitting the form it just recreates > >> the page > >> > >> > >> public class SomeLoginPage extends WebPage { > >> > >> > >> public SomeLoginPage() { > >> > >> setStatelessHint(true); > >> > >> add(new FeedbackPanel("feedback")); > >> > >> add(new SignInForm("signInForm").setOutputMarkupId(false)); > >> > >> > >> } > >> > >> > >> public final class SignInForm extends StatelessForm { > >> > >> > >> public SignInForm(final String id) { > >> > >> super(id, new CompoundPropertyModel(new ValueMap())); > >> > >> > >> add(new TextField("username").setOutputMarkupId(false)); > >> > >> add(new PasswordTextField("password").setOutputMarkupId(false)); > >> > >> } > >> > >> > >> /** > >> > >> * > >> > >> * @see org.apache.wicket.markup.html.form.Form#onSubmit() > >> > >> */ > >>
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
It works for us, but we are not using *CryptMapper's ... On Tue, Sep 19, 2017 at 7:49 PM, Wayne Wwrote: > Hi, > > does anyone else have an ideas whats I could do here. Is there anyone out > there who's successfully got the CSRF protection up and running in > production? > > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W > wrote: > >> Thanks Martin, >> >> so I've used this: >> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new >> KeyInSessionSunJceCryptFactory())); >> >> >> public class PostUrlCryptMapper extends CryptoMapper { >> >> /** >> >> * @param wrappedMapper >> >> * @param cryptFactory >> >> */ >> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); >> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper, >> >> final KeyInSessionSunJceCryptFactory >> cryptFactory) { >> >> super(wrappedMapper, new IProvider() { >> >> @Override >> >> public ICrypt get() { >> >> return cryptFactory.newCrypt(); >> >> } >> >> }); >> >> } >> >> >> public Url mapHandler(final IRequestHandler requestHandler) >> >> { >> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) { >> >> return super.mapHandler(requestHandler); >> >> } else { >> >> return getDelegateMapper().mapHandler(requestHandler); >> >> } >> >> } >> >> >> public IRequestHandler mapRequest(final Request request) >> >> { >> >> final IRequestHandler requestHandler = getDelegateMapper(). >> mapRequest(request); >> >> if (requestHandler == null) { >> >> return super.mapRequest(request); >> >> } >> >> return requestHandler; >> >> } >> >> >> /** >> >> * Returns true, whether the attached component to >> ListenerInterfaceRequestHandler is in form container. >> >> * @param requestHandler >> >> * @return >> >> */ >> >> private boolean isFormListenerInterfaceRequestHandler(final >> IRequestHandler requestHandler) { >> >> if (requestHandler instanceof ListenerInterfaceRequestHandler) { >> >> ListenerInterfaceRequestHandler >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) >> requestHandler; >> >> IRequestableComponent c = listenerInterfaceRequestHandler >> .getComponent(); >> >> if (c instanceof Form) { >> >> log.info("Form found!"); >> >> return true; >> >> } >> >> } >> >> //else if (requestHandler instanceof >> BookmarkableListenerInterfaceRequestHandler) { >> >> //BookmarkableListenerInterfaceRequestHandler handler = ( >> BookmarkableListenerInterfaceRequestHandler) requestHandler; >> >> //IRequestableComponent c = handler.getComponent(); >> >> //if (c instanceof Form) { >> >> //log.info("Form found!"); >> >> //return true; >> >> //} >> >> //} >> >> >> >> >> >> >> return false; >> >> } >> >> } >> >> >> However what I am finding is that any form on a stateless/bookmarkable >> page are not being encrypted. I tried to work around this with the section >> of code thats commented out (BookmarkableListenerInterfaceRequestHandler) >> . This then encrypts the form action fine, but then I get 2 bits of odd >> behaviour: >> >> >> - On pages that are bookmarkable, if there is a constructor that has >> PageParameters, the page is just recreated and the submit is ignored (when >> pressing submit).If I remove the PageParameter constructor then it works >> fine. >> >> - On stateless pages , again when submitting the form it just recreates >> the page >> >> >> public class SomeLoginPage extends WebPage { >> >> >> public SomeLoginPage() { >> >> setStatelessHint(true); >> >> add(new FeedbackPanel("feedback")); >> >> add(new SignInForm("signInForm").setOutputMarkupId(false)); >> >> >> } >> >> >> public final class SignInForm extends StatelessForm { >> >> >> public SignInForm(final String id) { >> >> super(id, new CompoundPropertyModel(new ValueMap())); >> >> >> add(new TextField("username").setOutputMarkupId(false)); >> >> add(new PasswordTextField("password").setOutputMarkupId(false)); >> >> } >> >> >> /** >> >> * >> >> * @see org.apache.wicket.markup.html.form.Form#onSubmit() >> >> */ >> >> >> public void onSubmit() { >> >> ValueMap values = getModelObject(); >> >> String username = values.getString("username"); >> >> String password = values.getString("password"); >> >> >> if (signIn(username, password)) { >> >> ((HubSession) Session.get()).setAdminAthenticated(true); >> >> ContextUtil.get().setUser(null); >> >> >> setResponsePage(CompanyAdminPage.class); >> >> >> } else { >> >> // Try the component based localizer first. If not found try the >> >> // application localizer. Else use the default >> >>
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Hi, does anyone else have an ideas whats I could do here. Is there anyone out there who's successfully got the CSRF protection up and running in production? On Fri, Sep 8, 2017 at 10:31 AM, Wayne Wwrote: > Thanks Martin, > > so I've used this: > > setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new > KeyInSessionSunJceCryptFactory())); > > > public class PostUrlCryptMapper extends CryptoMapper { > > /** > > * @param wrappedMapper > > * @param cryptFactory > > */ > > private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); > > public PostUrlCryptMapper(IRequestMapper wrappedMapper, > > final KeyInSessionSunJceCryptFactory > cryptFactory) { > > super(wrappedMapper, new IProvider() { > > @Override > > public ICrypt get() { > > return cryptFactory.newCrypt(); > > } > > }); > > } > > > public Url mapHandler(final IRequestHandler requestHandler) > > { > > if (isFormListenerInterfaceRequestHandler(requestHandler)) { > > return super.mapHandler(requestHandler); > > } else { > > return getDelegateMapper().mapHandler(requestHandler); > > } > > } > > > public IRequestHandler mapRequest(final Request request) > > { > > final IRequestHandler requestHandler = getDelegateMapper(). > mapRequest(request); > > if (requestHandler == null) { > > return super.mapRequest(request); > > } > > return requestHandler; > > } > > > /** > > * Returns true, whether the attached component to > ListenerInterfaceRequestHandler is in form container. > > * @param requestHandler > > * @return > > */ > > private boolean isFormListenerInterfaceRequestHandler(final > IRequestHandler requestHandler) { > > if (requestHandler instanceof ListenerInterfaceRequestHandler) { > > ListenerInterfaceRequestHandler > listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) > requestHandler; > > IRequestableComponent c = listenerInterfaceRequestHandler > .getComponent(); > > if (c instanceof Form) { > > log.info("Form found!"); > > return true; > > } > > } > > //else if (requestHandler instanceof > BookmarkableListenerInterfaceRequestHandler) { > > //BookmarkableListenerInterfaceRequestHandler handler = ( > BookmarkableListenerInterfaceRequestHandler) requestHandler; > > //IRequestableComponent c = handler.getComponent(); > > //if (c instanceof Form) { > > //log.info("Form found!"); > > //return true; > > //} > > //} > > > > > > > return false; > > } > > } > > > However what I am finding is that any form on a stateless/bookmarkable > page are not being encrypted. I tried to work around this with the section > of code thats commented out (BookmarkableListenerInterfaceRequestHandler) > . This then encrypts the form action fine, but then I get 2 bits of odd > behaviour: > > > - On pages that are bookmarkable, if there is a constructor that has > PageParameters, the page is just recreated and the submit is ignored (when > pressing submit).If I remove the PageParameter constructor then it works > fine. > > - On stateless pages , again when submitting the form it just recreates > the page > > > public class SomeLoginPage extends WebPage { > > > public SomeLoginPage() { > > setStatelessHint(true); > > add(new FeedbackPanel("feedback")); > > add(new SignInForm("signInForm").setOutputMarkupId(false)); > > > } > > > public final class SignInForm extends StatelessForm { > > > public SignInForm(final String id) { > > super(id, new CompoundPropertyModel(new ValueMap())); > > > add(new TextField("username").setOutputMarkupId(false)); > > add(new PasswordTextField("password").setOutputMarkupId(false)); > > } > > > /** > > * > > * @see org.apache.wicket.markup.html.form.Form#onSubmit() > > */ > > > public void onSubmit() { > > ValueMap values = getModelObject(); > > String username = values.getString("username"); > > String password = values.getString("password"); > > > if (signIn(username, password)) { > > ((HubSession) Session.get()).setAdminAthenticated(true); > > ContextUtil.get().setUser(null); > > > setResponsePage(CompanyAdminPage.class); > > > } else { > > // Try the component based localizer first. If not found try the > > // application localizer. Else use the default > > error(getLocalizer().getString("exception.login", this, "Illegal username > password combo")); > > } > > } > > > private boolean signIn(String username, String password) { > > // TODO authentication > > return false; > > } > > > } > > > } > > > > Any ideas? > > > > On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov > wrote: > >>
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Thanks Martin, so I've used this: setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new KeyInSessionSunJceCryptFactory())); public class PostUrlCryptMapper extends CryptoMapper { /** * @param wrappedMapper * @param cryptFactory */ private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); public PostUrlCryptMapper(IRequestMapper wrappedMapper, final KeyInSessionSunJceCryptFactory cryptFactory) { super(wrappedMapper, new IProvider() { @Override public ICrypt get() { return cryptFactory.newCrypt(); } }); } public Url mapHandler(final IRequestHandler requestHandler) { if (isFormListenerInterfaceRequestHandler(requestHandler)) { return super.mapHandler(requestHandler); } else { return getDelegateMapper().mapHandler(requestHandler); } } public IRequestHandler mapRequest(final Request request) { final IRequestHandler requestHandler = getDelegateMapper().mapRequest(request); if (requestHandler == null) { return super.mapRequest(request); } return requestHandler; } /** * Returns true, whether the attached component to ListenerInterfaceRequestHandler is in form container. * @param requestHandler * @return */ private boolean isFormListenerInterfaceRequestHandler(final IRequestHandler requestHandler) { if (requestHandler instanceof ListenerInterfaceRequestHandler) { ListenerInterfaceRequestHandler listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) requestHandler; IRequestableComponent c = listenerInterfaceRequestHandler .getComponent(); if (c instanceof Form) { log.info("Form found!"); return true; } } //else if (requestHandler instanceof BookmarkableListenerInterfaceRequestHandler) { //BookmarkableListenerInterfaceRequestHandler handler = (BookmarkableListenerInterfaceRequestHandler) requestHandler; //IRequestableComponent c = handler.getComponent(); //if (c instanceof Form) { //log.info("Form found!"); //return true; //} //} return false; } } However what I am finding is that any form on a stateless/bookmarkable page are not being encrypted. I tried to work around this with the section of code thats commented out (BookmarkableListenerInterfaceRequestHandler) . This then encrypts the form action fine, but then I get 2 bits of odd behaviour: - On pages that are bookmarkable, if there is a constructor that has PageParameters, the page is just recreated and the submit is ignored (when pressing submit).If I remove the PageParameter constructor then it works fine. - On stateless pages , again when submitting the form it just recreates the page public class SomeLoginPage extends WebPage { public SomeLoginPage() { setStatelessHint(true); add(new FeedbackPanel("feedback")); add(new SignInForm("signInForm").setOutputMarkupId(false)); } public final class SignInForm extends StatelessForm { public SignInForm(final String id) { super(id, new CompoundPropertyModel(new ValueMap())); add(new TextField("username").setOutputMarkupId(false)); add(new PasswordTextField("password").setOutputMarkupId(false)); } /** * * @see org.apache.wicket.markup.html.form.Form#onSubmit() */ public void onSubmit() { ValueMap values = getModelObject(); String username = values.getString("username"); String password = values.getString("password"); if (signIn(username, password)) { ((HubSession) Session.get()).setAdminAthenticated(true); ContextUtil.get().setUser(null); setResponsePage(CompanyAdminPage.class); } else { // Try the component based localizer first. If not found try the // application localizer. Else use the default error(getLocalizer().getString("exception.login", this, "Illegal username password combo")); } } private boolean signIn(String username, String password) { // TODO authentication return false; } } } Any ideas? On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorovwrote: > org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandle > r#getComponent() > instanceOf Form > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Thu, Sep 7, 2017 at 11:04 AM, Wayne W > wrote: > > > Thanks Martin, > > > > how can I tell for example if the IPageClassRequestHandler or > > ListenerInterfaceRequestHandler is for a form? > > > > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov > > wrote: > > > > > Hi, > > > > > > I don't use any of these so I have no much experience in production > with > > > them! > > > > > > On Wed, Sep 6, 2017 at 12:07 PM,
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler#getComponent() instanceOf Form Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Thu, Sep 7, 2017 at 11:04 AM, Wayne Wwrote: > Thanks Martin, > > how can I tell for example if the IPageClassRequestHandler or > ListenerInterfaceRequestHandler is for a form? > > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov > wrote: > > > Hi, > > > > I don't use any of these so I have no much experience in production with > > them! > > > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W > > wrote: > > > > > Hi, > > > > > > I've been trying to use CsrfPreventionRequestCycleListener in > > production. > > > However we are seeing in the logs that about 30 times a day we get the > > > request aborted because the clients browsers are not sending the > referrer > > > header sometimes. Doing some research it seems we cannot rely on the > > > clients browser to send the referrer and it could be somewhat buggy in > > > older browsers. > > > > > > Does anyone else experience this trouble? > > > > > > Are there any alternatives? > > > > > > I did try: > > > > > > getSecuritySettings().setCryptFactory(new > KeyInSessionSunJceCryptFactory > > > ()); > > > > > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound > (), > > > this)); > > > > > > However this encrypts everything (resources, urls, etc). Is there a way > > of > > > just encrypting say forms and links or something? > > > > > > > You can override CryptoMapper#mapHandler() and call super.mapHandler() > only > > when the IRequestHandler is not an instance of IPageClassRequestHandler > or > > only when it is ListenerInterfaceRequestHandler. > > > > > > > > > > Anyone got a solution that works for them in production? > > > > > > many thanks > > > > > >
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Thanks Martin, how can I tell for example if the IPageClassRequestHandler or ListenerInterfaceRequestHandler is for a form? On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorovwrote: > Hi, > > I don't use any of these so I have no much experience in production with > them! > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W > wrote: > > > Hi, > > > > I've been trying to use CsrfPreventionRequestCycleListener in > production. > > However we are seeing in the logs that about 30 times a day we get the > > request aborted because the clients browsers are not sending the referrer > > header sometimes. Doing some research it seems we cannot rely on the > > clients browser to send the referrer and it could be somewhat buggy in > > older browsers. > > > > Does anyone else experience this trouble? > > > > Are there any alternatives? > > > > I did try: > > > > getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory > > ()); > > > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(), > > this)); > > > > However this encrypts everything (resources, urls, etc). Is there a way > of > > just encrypting say forms and links or something? > > > > You can override CryptoMapper#mapHandler() and call super.mapHandler() only > when the IRequestHandler is not an instance of IPageClassRequestHandler or > only when it is ListenerInterfaceRequestHandler. > > > > > > Anyone got a solution that works for them in production? > > > > many thanks > > >
Re: CsrfPreventionRequestCycleListener or alternative CSRF protection
Hi, I don't use any of these so I have no much experience in production with them! On Wed, Sep 6, 2017 at 12:07 PM, Wayne Wwrote: > Hi, > > I've been trying to use CsrfPreventionRequestCycleListener in production. > However we are seeing in the logs that about 30 times a day we get the > request aborted because the clients browsers are not sending the referrer > header sometimes. Doing some research it seems we cannot rely on the > clients browser to send the referrer and it could be somewhat buggy in > older browsers. > > Does anyone else experience this trouble? > > Are there any alternatives? > > I did try: > > getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory > ()); > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(), > this)); > > However this encrypts everything (resources, urls, etc). Is there a way of > just encrypting say forms and links or something? > You can override CryptoMapper#mapHandler() and call super.mapHandler() only when the IRequestHandler is not an instance of IPageClassRequestHandler or only when it is ListenerInterfaceRequestHandler. > > Anyone got a solution that works for them in production? > > many thanks >
CsrfPreventionRequestCycleListener or alternative CSRF protection
Hi, I've been trying to use CsrfPreventionRequestCycleListener in production. However we are seeing in the logs that about 30 times a day we get the request aborted because the clients browsers are not sending the referrer header sometimes. Doing some research it seems we cannot rely on the clients browser to send the referrer and it could be somewhat buggy in older browsers. Does anyone else experience this trouble? Are there any alternatives? I did try: getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory()); setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(), this)); However this encrypts everything (resources, urls, etc). Is there a way of just encrypting say forms and links or something? Anyone got a solution that works for them in production? many thanks