Hello,
I'm migrating from wicket 1.4 to 1.5 and I am looking to port the cross
site request forgery (CSRF) protection from wicket 1.4.
In 1.4, the recommended way[1] is to use CryptedUrlWebRequestCodingStrategy:
// MyWebApplication.java
@Override
protected IRequestCycleProcessor newRequestCycleProcessor()
{
return new WebRequestCycleProcessor()
{
protected IRequestCodingStrategy newRequestCodingStrategy()
{
return new CryptedUrlWebRequestCodingStrategy(new
WebRequestCodingStrategy());
}
};
}
In 1.5, this has been removed and we're asked to use
org.apache.wicket.request.mapper.CryptoMapper[2]
instead:
// MyWebApplication.java
@Override
protected void init()
{
...
mountPage("login", LoginPage.class);
...
// must be last call in init()
IRequestMapper cryptoMapper = new
CryptoMapper(getRootRequestMapper(), this);
setRootRequestMapper(cryptoMapper);
}
While this solves the CSRF problem, there is a big issue with this: there
is no longer a page mapped to "login". If this were a quickstart,
http://localhost:8080/login gives a 404.
In wicket 1.4, LoginPage would be accessible via http://localhost:8080/login,
and any other page similarly mounted would give a friendly URL if you
landed on it. The only time anything would be encrypted would be during
form posts, which was perfect because that was the only time I'd need it.
In wicket 1.5, is there a way to bring this behavior back? Or am I doing
something wrong? Or is there another recommended way of protecting against
CSRF attacks?
Thanks for any help,
- Dan
[1]
>From comments in https://issues.apache.org/jira/browse/WICKET-1885
[2]
https://cwiki.apache.org/WICKET/migration-to-wicket-15.html#MigrationtoWicket1.5-Listofrenamedclassesandmethods
