Martijn, this solution is correct but I tell that I said in post [1]... Wicket is a framework where you can implement an easy solution but I prefer that these types of solutions were distributed by default!
[1] http://www.nabble.com/Security-Features-offered-by-Wicket-to15738864.html#a15738864 Arthur Martijn Dashorst wrote: > > This assumes that the hacker correctly guesses the application key > (which you of course changed from the default setting), or has access > to your application to harvest URLs. > > Making the SunJceCrypt user specific is as simple as: > > new SunJceCrypt() { > @Override public String getKey() { > return MySession.get().getUserKey(); > } > } > > And all you have to do is implement your own user key generation that > generates a key based on some random information and is constant > throughout the session (e.g. md5 sum of a salt + Random.nextInt). > > Martijn > > On Thu, Aug 7, 2008 at 11:28 AM, Arthur Ahiceh <[EMAIL PROTECTED]> > wrote: >> >> >> ok! you have not used the word "easily" but only saying "There are more >> hardening options such as encrypting urls" it only seems that encrypting >> urls the problem is solved and it is not the case! The user has to >> implement a custom security factory, one different than provided by >> Wicket >> (SunJceCrypt), to resolve CSRF. >> >> >> Erik van Oosten wrote: >>> >>> >>> Arthur Ahiceh wrote: >>>>>> 4. Yes. See mailing list for earlier answers. There are more >>>>>> hardening >>>>>> options such as encrypting urls. >>>>>> >>>> >>>> Even encrypting the urls Wicket is vulnerable to CSRF because the key >>>> used >>>> to encrypt is shared by all users of application. Wicket is an >>>> extensible >>>> framework where you to add some new functionallity "easily" but it >>>> doesn't >>>> provide any secure solution by default to protect you against CSRF >>>> attacks! >>> Correct indeed. Also note, I did not use the word 'easily' :) >>> >>> Regards, >>> Erik. >>> >>> -- >>> Erik van Oosten >>> http://day-to-day-stuff.blogspot.com/ >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Questions-about-wicket-features-tp18857860p18866928.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > Apache Wicket 1.3.4 is released > Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Questions-about-wicket-features-tp18857860p18870094.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
