Hmm, for me it doesn't work.

I mount the pages via:

this.mount("/pages/secure", PackageName.forClass(this.getHomePage()));

If I try to access the page from machine B with the same jessionid as machine 
A, then I get redirected to LoginPage.



-----Urspr√ľngliche Nachricht-----
Von: Andrew Turner [mailto:grim_toas...@hotmail.com] 
Gesendet: Mittwoch, 2. Dezember 2009 10:24
An: users@wicket.apache.org
Betreff: Session stealing with wicket-auth-roles



Good morning all,

I'm hoping I've misconfigured something in my application, but we seem to be 
prone to session stealing in our wicket application.  We're using 
wicket-auth-roles to provide the security, and if you are able to access the 
jsessionid you can get another machine to log straight into the application as 
the intercepted user.  We're using HTTPS for the communication, so hopefully 
the likelihood of this occurring is quite small, but we are still being forced 
to contemplate rewriting the security layer (which I want to avoid if possible).

So, my question, have I misconfigured something, or is it just not possible to 
prevent this sort of attack when using wicket-auth-roles?

I've managed to create a completely stripped-down app that still has the 
problem, below is the AuthenticatedWhenSession implementation.

public class HelloWorldWebSession extends AuthenticatedWebSession {
    public HelloWorldWebSession(Request request) { super(request); }
    public boolean authenticate(String username, String password) { return 
"helloUser".equals(username) && "password".equals(password); }
    public Roles getRoles() { return isSignedIn() ? new Roles(Roles.USER) : 
null; }
}

And the simple page:

@AuthorizeInstantiation("USER")
public class HelloWorldHomePage extends WebPage { }

And the application:

public class HelloWorldApplication extends AuthenticatedWebApplication {
    protected void init() {
        super.init();
        mountBookmarkablePage("home", HelloWorldHomePage.class);
        mountBookmarkablePage("signin", SignInPage.class);
    }

    protected Class<? extends WebPage> getSignInPageClass() { return 
SignInPage.class; }
    protected Class<? extends AuthenticatedWebSession> getWebSessionClass() { 
return HelloWorldWebSession.class; }
    public Class<? extends Page> getHomePage() { return 
HelloWorldHomePage.class; }
}

The URL below, once logged in on one machine, could then be used on multiple 
machines to bypass the security layer.

http://localhost:9090/HelloWorld/home;jsessionid=<SESSION_ID_TAKEN_FROM_URL/COOKIE>

Many Thanks
Andy

                                          
_________________________________________________________________
Add your Gmail and Yahoo! Mail email accounts into Hotmail - it's easy
http://clk.atdmt.com/UKM/go/186394592/direct/01/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to