Re: Encrypt selected form data before submitting the request to Server
Hi Rob, Thanks for taking time to reply. And many thanks for the detailed example. Yes, having the secret rendered makes this approach questionable while using encryption. But what you've shared will be sufficient if one were to use other techniques like hashing etc. On Mon, Jan 16, 2017 at 4:18 PM, Rob Audenaerdewrote: > > > > Thanks Martin. > > Hi Rob, your approach looks interesting. > > Can you please elaborate on that? > > > > Yes. Although I don't really see the point. The secret that is passed on > will be readable by an attacker if the attacker could otherwise access the > fields in the form, effectively rendering this 'security by obscuriry'. The > only way around this is to pass the secret by other means to the client and > have them provide it in the form, or use some other type of PKI (which is > what HTTPS is supposed to do). > > - > > I would create a Form with a hidden field and an extra attrribute, the > secret: > > Form secretForm = new Form ( ) { ... }; > > secretForm.setOutputMarkupId(true); > IModel encodedResult = new Model<>(); > secretForm.add(AttributeModifier.append("secret", > Model.of("SuperDuperSecret")); > secretForm.add(new HiddenField("secret", encodedResult)); > secretForm.add(AjaxButton asb= new AjaxButton("submit") > { > @Override > protected void updateAjaxAttributes( AjaxRequestAttributes attributes ) > { > super.updateAjaxAttributes( attributes ); > attributes.getAjaxCallListeners().add( new AjaxCallListener() > { > @Override > public CharSequence getBeforeHandler( Component component ) > { > //I think you should do the encoding here, something with JSON, JQuery, > return "encryptFormToHiddenField( " + secretForm.getMarkupId() + " ) " ; > } > } ); > } > }; ); > > > In the onSubmit() of the form you can access the contents of the > encodedResult, use the ''SuperDuperSecret" to decode it. > > Now that I'm writing it, I think you also want to prevent the other values > from being sent.. Maybe you could empy the values using JavaScript? > > > > -Rob > -- Thanks & regards James Selvakumar
Re: Encrypt selected form data before submitting the request to Server
> > Thanks Martin. > Hi Rob, your approach looks interesting. > Can you please elaborate on that? > Yes. Although I don't really see the point. The secret that is passed on will be readable by an attacker if the attacker could otherwise access the fields in the form, effectively rendering this 'security by obscuriry'. The only way around this is to pass the secret by other means to the client and have them provide it in the form, or use some other type of PKI (which is what HTTPS is supposed to do). - I would create a Form with a hidden field and an extra attrribute, the secret: Form secretForm = new Form ( ) { ... }; secretForm.setOutputMarkupId(true); IModel encodedResult = new Model<>(); secretForm.add(AttributeModifier.append("secret", Model.of("SuperDuperSecret")); secretForm.add(new HiddenField("secret", encodedResult)); secretForm.add(AjaxButton asb= new AjaxButton("submit") { @Override protected void updateAjaxAttributes( AjaxRequestAttributes attributes ) { super.updateAjaxAttributes( attributes ); attributes.getAjaxCallListeners().add( new AjaxCallListener() { @Override public CharSequence getBeforeHandler( Component component ) { //I think you should do the encoding here, something with JSON, JQuery, return "encryptFormToHiddenField( " + secretForm.getMarkupId() + " ) " ; } } ); } }; ); In the onSubmit() of the form you can access the contents of the encodedResult, use the ''SuperDuperSecret" to decode it. Now that I'm writing it, I think you also want to prevent the other values from being sent.. Maybe you could empy the values using JavaScript? -Rob
Re: Encrypt selected form data before submitting the request to Server
Hi Rob, On Mon, Jan 16, 2017 at 8:46 AM, Rob Audenaerdewrote: > Ah you wrote about the synchronous ajax at the same time as my message :) > I should have explained in my first answer! The thing is that any asynchronous way to get the key will fail due to timings issues. > > (and sorry for the typo in your name, Martin!) > No problem! I have made much bigger mistakes with the help of spell corrections / auto-suggest :-) > > > On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerde > wrote: > > > @Marin I thought synchronous Ajax is actively discouraged now? Or is it > > supported through webworkers now? (see: https://xhr.spec.whatwg.org/# > > the-open()-method ) > > > > I would just generate a random secret the moment the form is rendered. > > Then, in javascript, you can use your favorite symmetric block cipher to > > replace the values/encode them in json (for example in a hidden field. > > Server side you do the reverse > > > > -Rob > > > > On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar > > wrote: > > > >> Hi Martin, > >> > >> Thanks a lot for your response. > >> Can I add this behavior directly to the form or should this be added to > a > >> form component? > >> Will this work on Wicket 6.x? > >> > >> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov > >> wrote: > >> > >> > Hi, > >> > > >> > The easiest way I see is to use onBeforeSend() callback listener on > the > >> > Ajax submit behavior of the form. > >> > There you can do a **synchronous** Ajax call to get your key and then > >> > modify (i.e. encrypt) the data to be sent. > >> > > >> > Martin Grigorov > >> > Wicket Training and Consulting > >> > https://twitter.com/mtgrigorov > >> > > >> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar < > ja...@mcruncher.com> > >> > wrote: > >> > > >> > > Hi all, > >> > > > >> > > I have this requirement where some of the data entered by the user > >> are to > >> > > be encrypted in the client side before the request is submitted to > the > >> > > Wicket server even though the communication is over HTTPS. > >> > > > >> > > I am thinking of having some JavaScript code in the client which > shall > >> > > intercept the form submission, request the Server for a randomly > >> > generated > >> > > key and encrypt the form data using the key received and then submit > >> the > >> > > form again. > >> > > > >> > > Any idea how to achieve this in Wicket? > >> > > > >> > > -- > >> > > Thanks & regards > >> > > James > >> > > > >> > > >> > >> > >> > >> -- > >> Thanks & regards > >> James Selvakumar > >> > > > > >
Re: Encrypt selected form data before submitting the request to Server
Thanks Martin. Hi Rob, your approach looks interesting. Can you please elaborate on that? On Mon, Jan 16, 2017 at 3:46 PM, Rob Audenaerdewrote: > Ah you wrote about the synchronous ajax at the same time as my message :) > > (and sorry for the typo in your name, Martin!) > > > On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerde > wrote: > > > @Marin I thought synchronous Ajax is actively discouraged now? Or is it > > supported through webworkers now? (see: https://xhr.spec.whatwg.org/# > > the-open()-method ) > > > > I would just generate a random secret the moment the form is rendered. > > Then, in javascript, you can use your favorite symmetric block cipher to > > replace the values/encode them in json (for example in a hidden field. > > Server side you do the reverse > > > > -Rob > > > > On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar > > wrote: > > > >> Hi Martin, > >> > >> Thanks a lot for your response. > >> Can I add this behavior directly to the form or should this be added to > a > >> form component? > >> Will this work on Wicket 6.x? > >> > >> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov > >> wrote: > >> > >> > Hi, > >> > > >> > The easiest way I see is to use onBeforeSend() callback listener on > the > >> > Ajax submit behavior of the form. > >> > There you can do a **synchronous** Ajax call to get your key and then > >> > modify (i.e. encrypt) the data to be sent. > >> > > >> > Martin Grigorov > >> > Wicket Training and Consulting > >> > https://twitter.com/mtgrigorov > >> > > >> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar < > ja...@mcruncher.com> > >> > wrote: > >> > > >> > > Hi all, > >> > > > >> > > I have this requirement where some of the data entered by the user > >> are to > >> > > be encrypted in the client side before the request is submitted to > the > >> > > Wicket server even though the communication is over HTTPS. > >> > > > >> > > I am thinking of having some JavaScript code in the client which > shall > >> > > intercept the form submission, request the Server for a randomly > >> > generated > >> > > key and encrypt the form data using the key received and then submit > >> the > >> > > form again. > >> > > > >> > > Any idea how to achieve this in Wicket? > >> > > > >> > > -- > >> > > Thanks & regards > >> > > James > >> > > > >> > > >> > >> > >> > >> -- > >> Thanks & regards > >> James Selvakumar > >> > > > > > -- Thanks & regards James Selvakumar
Re: Encrypt selected form data before submitting the request to Server
Ah you wrote about the synchronous ajax at the same time as my message :) (and sorry for the typo in your name, Martin!) On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerdewrote: > @Marin I thought synchronous Ajax is actively discouraged now? Or is it > supported through webworkers now? (see: https://xhr.spec.whatwg.org/# > the-open()-method ) > > I would just generate a random secret the moment the form is rendered. > Then, in javascript, you can use your favorite symmetric block cipher to > replace the values/encode them in json (for example in a hidden field. > Server side you do the reverse > > -Rob > > On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar > wrote: > >> Hi Martin, >> >> Thanks a lot for your response. >> Can I add this behavior directly to the form or should this be added to a >> form component? >> Will this work on Wicket 6.x? >> >> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov >> wrote: >> >> > Hi, >> > >> > The easiest way I see is to use onBeforeSend() callback listener on the >> > Ajax submit behavior of the form. >> > There you can do a **synchronous** Ajax call to get your key and then >> > modify (i.e. encrypt) the data to be sent. >> > >> > Martin Grigorov >> > Wicket Training and Consulting >> > https://twitter.com/mtgrigorov >> > >> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar >> > wrote: >> > >> > > Hi all, >> > > >> > > I have this requirement where some of the data entered by the user >> are to >> > > be encrypted in the client side before the request is submitted to the >> > > Wicket server even though the communication is over HTTPS. >> > > >> > > I am thinking of having some JavaScript code in the client which shall >> > > intercept the form submission, request the Server for a randomly >> > generated >> > > key and encrypt the form data using the key received and then submit >> the >> > > form again. >> > > >> > > Any idea how to achieve this in Wicket? >> > > >> > > -- >> > > Thanks & regards >> > > James >> > > >> > >> >> >> >> -- >> Thanks & regards >> James Selvakumar >> > >
Re: Encrypt selected form data before submitting the request to Server
@Marin I thought synchronous Ajax is actively discouraged now? Or is it supported through webworkers now? (see: https://xhr.spec.whatwg.org/#the-open()-method ) I would just generate a random secret the moment the form is rendered. Then, in javascript, you can use your favorite symmetric block cipher to replace the values/encode them in json (for example in a hidden field. Server side you do the reverse -Rob On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumarwrote: > Hi Martin, > > Thanks a lot for your response. > Can I add this behavior directly to the form or should this be added to a > form component? > Will this work on Wicket 6.x? > > On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov > wrote: > > > Hi, > > > > The easiest way I see is to use onBeforeSend() callback listener on the > > Ajax submit behavior of the form. > > There you can do a **synchronous** Ajax call to get your key and then > > modify (i.e. encrypt) the data to be sent. > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar > > wrote: > > > > > Hi all, > > > > > > I have this requirement where some of the data entered by the user are > to > > > be encrypted in the client side before the request is submitted to the > > > Wicket server even though the communication is over HTTPS. > > > > > > I am thinking of having some JavaScript code in the client which shall > > > intercept the form submission, request the Server for a randomly > > generated > > > key and encrypt the form data using the key received and then submit > the > > > form again. > > > > > > Any idea how to achieve this in Wicket? > > > > > > -- > > > Thanks & regards > > > James > > > > > > > > > -- > Thanks & regards > James Selvakumar >
Re: Encrypt selected form data before submitting the request to Server
Hi, I'd add it to the AjaxButton that submits the form. Yes, it should work with 6.x. I have never used a *synchronous* Ajax call in my apps. This is something that is highly discurraged by everyone (specifications, books, articles, etc.). A synchronous call will make your browser unusable during the call! But this is the only way I see to get your key during the form submit processing. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumarwrote: > Hi Martin, > > Thanks a lot for your response. > Can I add this behavior directly to the form or should this be added to a > form component? > Will this work on Wicket 6.x? > > On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov > wrote: > > > Hi, > > > > The easiest way I see is to use onBeforeSend() callback listener on the > > Ajax submit behavior of the form. > > There you can do a **synchronous** Ajax call to get your key and then > > modify (i.e. encrypt) the data to be sent. > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar > > wrote: > > > > > Hi all, > > > > > > I have this requirement where some of the data entered by the user are > to > > > be encrypted in the client side before the request is submitted to the > > > Wicket server even though the communication is over HTTPS. > > > > > > I am thinking of having some JavaScript code in the client which shall > > > intercept the form submission, request the Server for a randomly > > generated > > > key and encrypt the form data using the key received and then submit > the > > > form again. > > > > > > Any idea how to achieve this in Wicket? > > > > > > -- > > > Thanks & regards > > > James > > > > > > > > > -- > Thanks & regards > James Selvakumar >
Re: Encrypt selected form data before submitting the request to Server
Hi, The easiest way I see is to use onBeforeSend() callback listener on the Ajax submit behavior of the form. There you can do a **synchronous** Ajax call to get your key and then modify (i.e. encrypt) the data to be sent. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumarwrote: > Hi all, > > I have this requirement where some of the data entered by the user are to > be encrypted in the client side before the request is submitted to the > Wicket server even though the communication is over HTTPS. > > I am thinking of having some JavaScript code in the client which shall > intercept the form submission, request the Server for a randomly generated > key and encrypt the form data using the key received and then submit the > form again. > > Any idea how to achieve this in Wicket? > > -- > Thanks & regards > James >
Encrypt selected form data before submitting the request to Server
Hi all, I have this requirement where some of the data entered by the user are to be encrypted in the client side before the request is submitted to the Wicket server even though the communication is over HTTPS. I am thinking of having some JavaScript code in the client which shall intercept the form submission, request the Server for a randomly generated key and encrypt the form data using the key received and then submit the form again. Any idea how to achieve this in Wicket? -- Thanks & regards James