subject:"CsrfPreventionRequestCycleListener or alternative CSRF protection"

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-19 Thread Maxim Solodovnik

Hello Wayne,

Here is the current code: [1]
Seems to work as expected

[1] 
https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java#L245

On Tue, Sep 19, 2017 at 9:51 PM, Wayne W  wrote:
> Hi Maxim, what are you using? CsrfPreventionRequestCycleListener?
>
> On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnik 
> wrote:
>
>> It works for us, but we are not using *CryptMapper's ...
>>
>> On Tue, Sep 19, 2017 at 7:49 PM, Wayne W 
>> wrote:
>> > Hi,
>> >
>> > does anyone else have an ideas whats I could do here. Is there anyone out
>> > there who's successfully got the CSRF protection up and running in
>> > production?
>> >
>> > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W 
>> > wrote:
>> >
>> >> Thanks Martin,
>> >>
>> >> so I've used this:
>> >>
>> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
>> >> KeyInSessionSunJceCryptFactory()));
>> >>
>> >>
>> >> public class PostUrlCryptMapper extends CryptoMapper {
>> >>
>> >> /**
>> >>
>> >>  * @param wrappedMapper
>> >>
>> >>  * @param cryptFactory
>> >>
>> >>  */
>> >>
>> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
>> >>
>> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
>> >>
>> >>   final KeyInSessionSunJceCryptFactory
>> >> cryptFactory) {
>> >>
>> >> super(wrappedMapper, new IProvider() {
>> >>
>> >> @Override
>> >>
>> >> public ICrypt get() {
>> >>
>> >> return cryptFactory.newCrypt();
>> >>
>> >> }
>> >>
>> >> });
>> >>
>> >> }
>> >>
>> >>
>> >> public Url mapHandler(final IRequestHandler requestHandler)
>> >>
>> >> {
>> >>
>> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
>> >>
>> >> return super.mapHandler(requestHandler);
>> >>
>> >> } else {
>> >>
>> >> return getDelegateMapper().mapHandler(requestHandler);
>> >>
>> >> }
>> >>
>> >> }
>> >>
>> >>
>> >> public IRequestHandler mapRequest(final Request request)
>> >>
>> >> {
>> >>
>> >> final IRequestHandler requestHandler = getDelegateMapper().
>> >> mapRequest(request);
>> >>
>> >> if (requestHandler == null) {
>> >>
>> >> return super.mapRequest(request);
>> >>
>> >> }
>> >>
>> >> return requestHandler;
>> >>
>> >> }
>> >>
>> >>
>> >> /**
>> >>
>> >>  * Returns true, whether the attached component to
>> >> ListenerInterfaceRequestHandler is in form container.
>> >>
>> >>  * @param requestHandler
>> >>
>> >>  * @return
>> >>
>> >>  */
>> >>
>> >> private boolean isFormListenerInterfaceRequestHandler(final
>> >> IRequestHandler requestHandler) {
>> >>
>> >> if (requestHandler instanceof ListenerInterfaceRequestHandler)
>> {
>> >>
>> >> ListenerInterfaceRequestHandler
>> >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
>> >> requestHandler;
>> >>
>> >> IRequestableComponent c = listenerInterfaceRequestHandler
>> >> .getComponent();
>> >>
>> >> if (c instanceof Form) {
>> >>
>> >> log.info("Form found!");
>> >>
>> >> return true;
>> >>
>> >> }
>> >>
>> >> }
>> >>
>> >> //else  if (requestHandler instanceof
>> >> BookmarkableListenerInterfaceRequestHandler) {
>> >>
>> >> //BookmarkableListenerInterfaceRequestHandler  handler = (
>> >> BookmarkableListenerInterfaceRequestHandler) requestHandler;
>> >>
>> >> //IRequestableComponent c = handler.getComponent();
>> >>
>> >> //if (c instanceof Form) {
>> >>
>> >> //log.info("Form found!");
>> >>
>> >> //return true;
>> >>
>> >> //}
>> >>
>> >> //}
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> return false;
>> >>
>> >> }
>> >>
>> >> }
>> >>
>> >>
>> >> However what I am finding is that any form on a stateless/bookmarkable
>> >> page are not being encrypted. I tried to work around this with the
>> section
>> >> of code thats commented out (BookmarkableListenerInterfaceR
>> equestHandler)
>> >> . This then encrypts the form action fine, but then I get 2 bits of odd
>> >> behaviour:
>> >>
>> >>
>> >> - On pages that are bookmarkable, if there is a constructor that has
>> >> PageParameters, the page is just recreated and the submit is ignored
>> (when
>> >> pressing submit).If I remove the PageParameter constructor then it works
>> >> fine.
>> >>
>> >> - On stateless pages , again when submitting the form it just recreates
>> >> the page
>> >>
>> >>
>> >> public class SomeLoginPage extends WebPage {
>> >>
>> >>
>> >> public SomeLoginPage() {
>> >>
>> >> setStatelessHint(true);
>> >>
>> >> add(new FeedbackPanel("feedback"));
>> >>
>> >> add(new

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-19 Thread Wayne W

Hi Maxim, what are you using? CsrfPreventionRequestCycleListener?

On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnik 
wrote:

> It works for us, but we are not using *CryptMapper's ...
>
> On Tue, Sep 19, 2017 at 7:49 PM, Wayne W 
> wrote:
> > Hi,
> >
> > does anyone else have an ideas whats I could do here. Is there anyone out
> > there who's successfully got the CSRF protection up and running in
> > production?
> >
> > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W 
> > wrote:
> >
> >> Thanks Martin,
> >>
> >> so I've used this:
> >>
> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
> >> KeyInSessionSunJceCryptFactory()));
> >>
> >>
> >> public class PostUrlCryptMapper extends CryptoMapper {
> >>
> >> /**
> >>
> >>  * @param wrappedMapper
> >>
> >>  * @param cryptFactory
> >>
> >>  */
> >>
> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
> >>
> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
> >>
> >>   final KeyInSessionSunJceCryptFactory
> >> cryptFactory) {
> >>
> >> super(wrappedMapper, new IProvider() {
> >>
> >> @Override
> >>
> >> public ICrypt get() {
> >>
> >> return cryptFactory.newCrypt();
> >>
> >> }
> >>
> >> });
> >>
> >> }
> >>
> >>
> >> public Url mapHandler(final IRequestHandler requestHandler)
> >>
> >> {
> >>
> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
> >>
> >> return super.mapHandler(requestHandler);
> >>
> >> } else {
> >>
> >> return getDelegateMapper().mapHandler(requestHandler);
> >>
> >> }
> >>
> >> }
> >>
> >>
> >> public IRequestHandler mapRequest(final Request request)
> >>
> >> {
> >>
> >> final IRequestHandler requestHandler = getDelegateMapper().
> >> mapRequest(request);
> >>
> >> if (requestHandler == null) {
> >>
> >> return super.mapRequest(request);
> >>
> >> }
> >>
> >> return requestHandler;
> >>
> >> }
> >>
> >>
> >> /**
> >>
> >>  * Returns true, whether the attached component to
> >> ListenerInterfaceRequestHandler is in form container.
> >>
> >>  * @param requestHandler
> >>
> >>  * @return
> >>
> >>  */
> >>
> >> private boolean isFormListenerInterfaceRequestHandler(final
> >> IRequestHandler requestHandler) {
> >>
> >> if (requestHandler instanceof ListenerInterfaceRequestHandler)
> {
> >>
> >> ListenerInterfaceRequestHandler
> >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
> >> requestHandler;
> >>
> >> IRequestableComponent c = listenerInterfaceRequestHandler
> >> .getComponent();
> >>
> >> if (c instanceof Form) {
> >>
> >> log.info("Form found!");
> >>
> >> return true;
> >>
> >> }
> >>
> >> }
> >>
> >> //else  if (requestHandler instanceof
> >> BookmarkableListenerInterfaceRequestHandler) {
> >>
> >> //BookmarkableListenerInterfaceRequestHandler  handler = (
> >> BookmarkableListenerInterfaceRequestHandler) requestHandler;
> >>
> >> //IRequestableComponent c = handler.getComponent();
> >>
> >> //if (c instanceof Form) {
> >>
> >> //log.info("Form found!");
> >>
> >> //return true;
> >>
> >> //}
> >>
> >> //}
> >>
> >>
> >>
> >>
> >>
> >>
> >> return false;
> >>
> >> }
> >>
> >> }
> >>
> >>
> >> However what I am finding is that any form on a stateless/bookmarkable
> >> page are not being encrypted. I tried to work around this with the
> section
> >> of code thats commented out (BookmarkableListenerInterfaceR
> equestHandler)
> >> . This then encrypts the form action fine, but then I get 2 bits of odd
> >> behaviour:
> >>
> >>
> >> - On pages that are bookmarkable, if there is a constructor that has
> >> PageParameters, the page is just recreated and the submit is ignored
> (when
> >> pressing submit).If I remove the PageParameter constructor then it works
> >> fine.
> >>
> >> - On stateless pages , again when submitting the form it just recreates
> >> the page
> >>
> >>
> >> public class SomeLoginPage extends WebPage {
> >>
> >>
> >> public SomeLoginPage() {
> >>
> >> setStatelessHint(true);
> >>
> >> add(new FeedbackPanel("feedback"));
> >>
> >> add(new SignInForm("signInForm").setOutputMarkupId(false));
> >>
> >>
> >> }
> >>
> >>
> >> public final class SignInForm extends StatelessForm {
> >>
> >>
> >> public SignInForm(final String id) {
> >>
> >> super(id, new CompoundPropertyModel(new ValueMap()));
> >>
> >>
> >> add(new TextField("username").setOutputMarkupId(false));
> >>
> >> add(new PasswordTextField("password").setOutputMarkupId(false));
> >>
> >> }
> >>
> >>
> >> /**
> >>
> >> *
> >>
> >> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
> >>
> >> */
> >>

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-19 Thread Maxim Solodovnik

It works for us, but we are not using *CryptMapper's ...

On Tue, Sep 19, 2017 at 7:49 PM, Wayne W  wrote:
> Hi,
>
> does anyone else have an ideas whats I could do here. Is there anyone out
> there who's successfully got the CSRF protection up and running in
> production?
>
> On Fri, Sep 8, 2017 at 10:31 AM, Wayne W 
> wrote:
>
>> Thanks Martin,
>>
>> so I've used this:
>>
>> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
>> KeyInSessionSunJceCryptFactory()));
>>
>>
>> public class PostUrlCryptMapper extends CryptoMapper {
>>
>> /**
>>
>>  * @param wrappedMapper
>>
>>  * @param cryptFactory
>>
>>  */
>>
>> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
>>
>> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
>>
>>   final KeyInSessionSunJceCryptFactory
>> cryptFactory) {
>>
>> super(wrappedMapper, new IProvider() {
>>
>> @Override
>>
>> public ICrypt get() {
>>
>> return cryptFactory.newCrypt();
>>
>> }
>>
>> });
>>
>> }
>>
>>
>> public Url mapHandler(final IRequestHandler requestHandler)
>>
>> {
>>
>> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
>>
>> return super.mapHandler(requestHandler);
>>
>> } else {
>>
>> return getDelegateMapper().mapHandler(requestHandler);
>>
>> }
>>
>> }
>>
>>
>> public IRequestHandler mapRequest(final Request request)
>>
>> {
>>
>> final IRequestHandler requestHandler = getDelegateMapper().
>> mapRequest(request);
>>
>> if (requestHandler == null) {
>>
>> return super.mapRequest(request);
>>
>> }
>>
>> return requestHandler;
>>
>> }
>>
>>
>> /**
>>
>>  * Returns true, whether the attached component to
>> ListenerInterfaceRequestHandler is in form container.
>>
>>  * @param requestHandler
>>
>>  * @return
>>
>>  */
>>
>> private boolean isFormListenerInterfaceRequestHandler(final
>> IRequestHandler requestHandler) {
>>
>> if (requestHandler instanceof ListenerInterfaceRequestHandler) {
>>
>> ListenerInterfaceRequestHandler
>> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
>> requestHandler;
>>
>> IRequestableComponent c = listenerInterfaceRequestHandler
>> .getComponent();
>>
>> if (c instanceof Form) {
>>
>> log.info("Form found!");
>>
>> return true;
>>
>> }
>>
>> }
>>
>> //else  if (requestHandler instanceof
>> BookmarkableListenerInterfaceRequestHandler) {
>>
>> //BookmarkableListenerInterfaceRequestHandler  handler = (
>> BookmarkableListenerInterfaceRequestHandler) requestHandler;
>>
>> //IRequestableComponent c = handler.getComponent();
>>
>> //if (c instanceof Form) {
>>
>> //log.info("Form found!");
>>
>> //return true;
>>
>> //}
>>
>> //}
>>
>>
>>
>>
>>
>>
>> return false;
>>
>> }
>>
>> }
>>
>>
>> However what I am finding is that any form on a stateless/bookmarkable
>> page are not being encrypted. I tried to work around this with the section
>> of code thats commented out (BookmarkableListenerInterfaceRequestHandler)
>> . This then encrypts the form action fine, but then I get 2 bits of odd
>> behaviour:
>>
>>
>> - On pages that are bookmarkable, if there is a constructor that has
>> PageParameters, the page is just recreated and the submit is ignored (when
>> pressing submit).If I remove the PageParameter constructor then it works
>> fine.
>>
>> - On stateless pages , again when submitting the form it just recreates
>> the page
>>
>>
>> public class SomeLoginPage extends WebPage {
>>
>>
>> public SomeLoginPage() {
>>
>> setStatelessHint(true);
>>
>> add(new FeedbackPanel("feedback"));
>>
>> add(new SignInForm("signInForm").setOutputMarkupId(false));
>>
>>
>> }
>>
>>
>> public final class SignInForm extends StatelessForm {
>>
>>
>> public SignInForm(final String id) {
>>
>> super(id, new CompoundPropertyModel(new ValueMap()));
>>
>>
>> add(new TextField("username").setOutputMarkupId(false));
>>
>> add(new PasswordTextField("password").setOutputMarkupId(false));
>>
>> }
>>
>>
>> /**
>>
>> *
>>
>> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
>>
>> */
>>
>>
>> public void onSubmit() {
>>
>> ValueMap values = getModelObject();
>>
>> String username = values.getString("username");
>>
>> String password = values.getString("password");
>>
>>
>> if (signIn(username, password)) {
>>
>> ((HubSession) Session.get()).setAdminAthenticated(true);
>>
>> ContextUtil.get().setUser(null);
>>
>>
>> setResponsePage(CompanyAdminPage.class);
>>
>>
>> } else {
>>
>> // Try the component based localizer first. If not found try the
>>
>> // application localizer. Else use the default
>>
>>

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-19 Thread Wayne W

Hi,

does anyone else have an ideas whats I could do here. Is there anyone out
there who's successfully got the CSRF protection up and running in
production?

On Fri, Sep 8, 2017 at 10:31 AM, Wayne W 
wrote:

> Thanks Martin,
>
> so I've used this:
>
> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
> KeyInSessionSunJceCryptFactory()));
>
>
> public class PostUrlCryptMapper extends CryptoMapper {
>
> /**
>
>  * @param wrappedMapper
>
>  * @param cryptFactory
>
>  */
>
> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
>
> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
>
>   final KeyInSessionSunJceCryptFactory
> cryptFactory) {
>
> super(wrappedMapper, new IProvider() {
>
> @Override
>
> public ICrypt get() {
>
> return cryptFactory.newCrypt();
>
> }
>
> });
>
> }
>
>
> public Url mapHandler(final IRequestHandler requestHandler)
>
> {
>
> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
>
> return super.mapHandler(requestHandler);
>
> } else {
>
> return getDelegateMapper().mapHandler(requestHandler);
>
> }
>
> }
>
>
> public IRequestHandler mapRequest(final Request request)
>
> {
>
> final IRequestHandler requestHandler = getDelegateMapper().
> mapRequest(request);
>
> if (requestHandler == null) {
>
> return super.mapRequest(request);
>
> }
>
> return requestHandler;
>
> }
>
>
> /**
>
>  * Returns true, whether the attached component to
> ListenerInterfaceRequestHandler is in form container.
>
>  * @param requestHandler
>
>  * @return
>
>  */
>
> private boolean isFormListenerInterfaceRequestHandler(final
> IRequestHandler requestHandler) {
>
> if (requestHandler instanceof ListenerInterfaceRequestHandler) {
>
> ListenerInterfaceRequestHandler
> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
> requestHandler;
>
> IRequestableComponent c = listenerInterfaceRequestHandler
> .getComponent();
>
> if (c instanceof Form) {
>
> log.info("Form found!");
>
> return true;
>
> }
>
> }
>
> //else  if (requestHandler instanceof
> BookmarkableListenerInterfaceRequestHandler) {
>
> //BookmarkableListenerInterfaceRequestHandler  handler = (
> BookmarkableListenerInterfaceRequestHandler) requestHandler;
>
> //IRequestableComponent c = handler.getComponent();
>
> //if (c instanceof Form) {
>
> //log.info("Form found!");
>
> //return true;
>
> //}
>
> //}
>
>
>
>
>
>
> return false;
>
> }
>
> }
>
>
> However what I am finding is that any form on a stateless/bookmarkable
> page are not being encrypted. I tried to work around this with the section
> of code thats commented out (BookmarkableListenerInterfaceRequestHandler)
> . This then encrypts the form action fine, but then I get 2 bits of odd
> behaviour:
>
>
> - On pages that are bookmarkable, if there is a constructor that has
> PageParameters, the page is just recreated and the submit is ignored (when
> pressing submit).If I remove the PageParameter constructor then it works
> fine.
>
> - On stateless pages , again when submitting the form it just recreates
> the page
>
>
> public class SomeLoginPage extends WebPage {
>
>
> public SomeLoginPage() {
>
> setStatelessHint(true);
>
> add(new FeedbackPanel("feedback"));
>
> add(new SignInForm("signInForm").setOutputMarkupId(false));
>
>
> }
>
>
> public final class SignInForm extends StatelessForm {
>
>
> public SignInForm(final String id) {
>
> super(id, new CompoundPropertyModel(new ValueMap()));
>
>
> add(new TextField("username").setOutputMarkupId(false));
>
> add(new PasswordTextField("password").setOutputMarkupId(false));
>
> }
>
>
> /**
>
> *
>
> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
>
> */
>
>
> public void onSubmit() {
>
> ValueMap values = getModelObject();
>
> String username = values.getString("username");
>
> String password = values.getString("password");
>
>
> if (signIn(username, password)) {
>
> ((HubSession) Session.get()).setAdminAthenticated(true);
>
> ContextUtil.get().setUser(null);
>
>
> setResponsePage(CompanyAdminPage.class);
>
>
> } else {
>
> // Try the component based localizer first. If not found try the
>
> // application localizer. Else use the default
>
> error(getLocalizer().getString("exception.login", this, "Illegal username
> password combo"));
>
> }
>
> }
>
>
> private boolean signIn(String username, String password) {
>
> // TODO authentication
>
> return false;
>
> }
>
>
> }
>
>
> }
>
>
>
> Any ideas?
>
>
>
> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov 
> wrote:
>
>>

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-08 Thread Wayne W

Thanks Martin,

so I've used this:

setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
KeyInSessionSunJceCryptFactory()));


public class PostUrlCryptMapper extends CryptoMapper {

/**

 * @param wrappedMapper

 * @param cryptFactory

 */

private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);

public PostUrlCryptMapper(IRequestMapper wrappedMapper,

  final KeyInSessionSunJceCryptFactory
cryptFactory) {

super(wrappedMapper, new IProvider() {

@Override

public ICrypt get() {

return cryptFactory.newCrypt();

}

});

}


public Url mapHandler(final IRequestHandler requestHandler)

{

if (isFormListenerInterfaceRequestHandler(requestHandler)) {

return super.mapHandler(requestHandler);

} else {

return getDelegateMapper().mapHandler(requestHandler);

}

}


public IRequestHandler mapRequest(final Request request)

{

final IRequestHandler requestHandler =
getDelegateMapper().mapRequest(request);

if (requestHandler == null) {

return super.mapRequest(request);

}

return requestHandler;

}


/**

 * Returns true, whether the attached component to
ListenerInterfaceRequestHandler is in form container.

 * @param requestHandler

 * @return

 */

private boolean isFormListenerInterfaceRequestHandler(final
IRequestHandler requestHandler) {

if (requestHandler instanceof ListenerInterfaceRequestHandler) {

ListenerInterfaceRequestHandler  listenerInterfaceRequestHandler
= (ListenerInterfaceRequestHandler) requestHandler;

IRequestableComponent c = listenerInterfaceRequestHandler
.getComponent();

if (c instanceof Form) {

log.info("Form found!");

return true;

}

}

//else  if (requestHandler instanceof
BookmarkableListenerInterfaceRequestHandler) {

//BookmarkableListenerInterfaceRequestHandler  handler =
(BookmarkableListenerInterfaceRequestHandler) requestHandler;

//IRequestableComponent c = handler.getComponent();

//if (c instanceof Form) {

//log.info("Form found!");

//return true;

//}

//}






return false;

}

}


However what I am finding is that any form on a stateless/bookmarkable page
are not being encrypted. I tried to work around this with the section of
code thats commented out (BookmarkableListenerInterfaceRequestHandler) .
This then encrypts the form action fine, but then I get 2 bits of odd
behaviour:


- On pages that are bookmarkable, if there is a constructor that has
PageParameters, the page is just recreated and the submit is ignored (when
pressing submit).If I remove the PageParameter constructor then it works
fine.

- On stateless pages , again when submitting the form it just recreates the
page


public class SomeLoginPage extends WebPage {


public SomeLoginPage() {

setStatelessHint(true);

add(new FeedbackPanel("feedback"));

add(new SignInForm("signInForm").setOutputMarkupId(false));


}


public final class SignInForm extends StatelessForm {


public SignInForm(final String id) {

super(id, new CompoundPropertyModel(new ValueMap()));


add(new TextField("username").setOutputMarkupId(false));

add(new PasswordTextField("password").setOutputMarkupId(false));

}


/**

*

* @see org.apache.wicket.markup.html.form.Form#onSubmit()

*/


public void onSubmit() {

ValueMap values = getModelObject();

String username = values.getString("username");

String password = values.getString("password");


if (signIn(username, password)) {

((HubSession) Session.get()).setAdminAthenticated(true);

ContextUtil.get().setUser(null);


setResponsePage(CompanyAdminPage.class);


} else {

// Try the component based localizer first. If not found try the

// application localizer. Else use the default

error(getLocalizer().getString("exception.login", this, "Illegal username
password combo"));

}

}


private boolean signIn(String username, String password) {

// TODO authentication

return false;

}


}


}



Any ideas?



On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov 
wrote:

> org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandle
> r#getComponent()
> instanceOf Form
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W 
> wrote:
>
> > Thanks Martin,
> >
> > how can I tell for example if the IPageClassRequestHandler or
> > ListenerInterfaceRequestHandler is for a form?
> >
> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov 
> > wrote:
> >
> > > Hi,
> > >
> > > I don't use any of these so I have no much experience in production
> with
> > > them!
> > >
> > > On Wed, Sep 6, 2017 at 12:07 PM,

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-07 Thread Martin Grigorov

org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler#getComponent()
instanceOf Form

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Thu, Sep 7, 2017 at 11:04 AM, Wayne W 
wrote:

> Thanks Martin,
>
> how can I tell for example if the IPageClassRequestHandler or
> ListenerInterfaceRequestHandler is for a form?
>
> On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov 
> wrote:
>
> > Hi,
> >
> > I don't use any of these so I have no much experience in production with
> > them!
> >
> > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W 
> > wrote:
> >
> > > Hi,
> > >
> > > I've been trying to use CsrfPreventionRequestCycleListener in
> > production.
> > > However we are seeing in the logs that about 30 times a day we get the
> > > request aborted because the clients browsers are not sending the
> referrer
> > > header sometimes. Doing some research it seems we cannot rely on the
> > > clients browser to send the referrer and it could be somewhat buggy in
> > > older browsers.
> > >
> > > Does anyone else experience this trouble?
> > >
> > > Are there any alternatives?
> > >
> > > I did try:
> > >
> > > getSecuritySettings().setCryptFactory(new
> KeyInSessionSunJceCryptFactory
> > > ());
> > >
> > > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound
> (),
> > > this));
> > >
> > > However this encrypts everything (resources, urls, etc). Is there a way
> > of
> > > just encrypting say forms and links or something?
> > >
> >
> > You can override CryptoMapper#mapHandler() and call super.mapHandler()
> only
> > when the IRequestHandler is not an instance of IPageClassRequestHandler
> or
> > only when it is ListenerInterfaceRequestHandler.
> >
> >
> > >
> > > Anyone got a solution that works for them in production?
> > >
> > > many thanks
> > >
> >
>

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-07 Thread Wayne W

Thanks Martin,

how can I tell for example if the IPageClassRequestHandler or
ListenerInterfaceRequestHandler is for a form?

On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov 
wrote:

> Hi,
>
> I don't use any of these so I have no much experience in production with
> them!
>
> On Wed, Sep 6, 2017 at 12:07 PM, Wayne W 
> wrote:
>
> > Hi,
> >
> > I've been trying to use CsrfPreventionRequestCycleListener in
> production.
> > However we are seeing in the logs that about 30 times a day we get the
> > request aborted because the clients browsers are not sending the referrer
> > header sometimes. Doing some research it seems we cannot rely on the
> > clients browser to send the referrer and it could be somewhat buggy in
> > older browsers.
> >
> > Does anyone else experience this trouble?
> >
> > Are there any alternatives?
> >
> > I did try:
> >
> > getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory
> > ());
> >
> > setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(),
> > this));
> >
> > However this encrypts everything (resources, urls, etc). Is there a way
> of
> > just encrypting say forms and links or something?
> >
>
> You can override CryptoMapper#mapHandler() and call super.mapHandler() only
> when the IRequestHandler is not an instance of IPageClassRequestHandler or
> only when it is ListenerInterfaceRequestHandler.
>
>
> >
> > Anyone got a solution that works for them in production?
> >
> > many thanks
> >
>

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-06 Thread Martin Grigorov

Hi,

I don't use any of these so I have no much experience in production with
them!

On Wed, Sep 6, 2017 at 12:07 PM, Wayne W 
wrote:

> Hi,
>
> I've been trying to use CsrfPreventionRequestCycleListener in production.
> However we are seeing in the logs that about 30 times a day we get the
> request aborted because the clients browsers are not sending the referrer
> header sometimes. Doing some research it seems we cannot rely on the
> clients browser to send the referrer and it could be somewhat buggy in
> older browsers.
>
> Does anyone else experience this trouble?
>
> Are there any alternatives?
>
> I did try:
>
> getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory
> ());
>
> setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(),
> this));
>
> However this encrypts everything (resources, urls, etc). Is there a way of
> just encrypting say forms and links or something?
>

You can override CryptoMapper#mapHandler() and call super.mapHandler() only
when the IRequestHandler is not an instance of IPageClassRequestHandler or
only when it is ListenerInterfaceRequestHandler.


>
> Anyone got a solution that works for them in production?
>
> many thanks
>

CsrfPreventionRequestCycleListener or alternative CSRF protection

2017-09-06 Thread Wayne W

Hi,

I've been trying to use CsrfPreventionRequestCycleListener in production.
However we are seeing in the logs that about 30 times a day we get the
request aborted because the clients browsers are not sending the referrer
header sometimes. Doing some research it seems we cannot rely on the
clients browser to send the referrer and it could be somewhat buggy in
older browsers.

Does anyone else experience this trouble?

Are there any alternatives?

I did try:

getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory());

setRootRequestMapper(new CryptoMapper(getRootRequestMapperAsCompound(),
this));

However this encrypts everything (resources, urls, etc). Is there a way of
just encrypting say forms and links or something?

Anyone got a solution that works for them in production?

many thanks

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

Re: CsrfPreventionRequestCycleListener or alternative CSRF protection

CsrfPreventionRequestCycleListener or alternative CSRF protection

9 matches

Site Navigation

Mail list logo

Footer information