This assumes that the hacker correctly guesses the application key
(which you of course changed from the default setting), or has access
to your application to harvest URLs.
Making the SunJceCrypt user specific is as simple as:
new SunJceCrypt() {
@Override public String getKey() {
return MySession.get().getUserKey();
}
}
And all you have to do is implement your own user key generation that
generates a key based on some random information and is constant
throughout the session (e.g. md5 sum of a salt + Random.nextInt).
Martijn
On Thu, Aug 7, 2008 at 11:28 AM, Arthur Ahiceh <[EMAIL PROTECTED]> wrote:
>
>
> ok! you have not used the word "easily" but only saying "There are more
> hardening options such as encrypting urls" it only seems that encrypting
> urls the problem is solved and it is not the case! The user has to
> implement a custom security factory, one different than provided by Wicket
> (SunJceCrypt), to resolve CSRF.
>
>
> Erik van Oosten wrote:
>>
>>
>> Arthur Ahiceh wrote:
>>>>> 4. Yes. See mailing list for earlier answers. There are more hardening
>>>>> options such as encrypting urls.
>>>>>
>>>
>>> Even encrypting the urls Wicket is vulnerable to CSRF because the key
>>> used
>>> to encrypt is shared by all users of application. Wicket is an extensible
>>> framework where you to add some new functionallity "easily" but it
>>> doesn't
>>> provide any secure solution by default to protect you against CSRF
>>> attacks!
>> Correct indeed. Also note, I did not use the word 'easily' :)
>>
>> Regards,
>> Erik.
>>
>> --
>> Erik van Oosten
>> http://day-to-day-stuff.blogspot.com/
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Questions-about-wicket-features-tp18857860p18866928.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Become a Wicket expert, learn from the best: http://wicketinaction.com
Apache Wicket 1.3.4 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
