Hi, See https://issues.apache.org/jira/browse/WICKET-4140 There is a quickstart that shows how to do it.
On Mon, Dec 5, 2011 at 11:40 PM, Dan Alvizu <dalv...@pingidentity.com> wrote: > Hello, > > I'm migrating from wicket 1.4 to 1.5 and I am looking to port the cross > site request forgery (CSRF) protection from wicket 1.4. > > In 1.4, the recommended way[1] is to use CryptedUrlWebRequestCodingStrategy: > > // MyWebApplication.java > > @Override > protected IRequestCycleProcessor newRequestCycleProcessor() > { > return new WebRequestCycleProcessor() > { > protected IRequestCodingStrategy newRequestCodingStrategy() > { > return new CryptedUrlWebRequestCodingStrategy(new > WebRequestCodingStrategy()); > } > }; > } > > In 1.5, this has been removed and we're asked to use > org.apache.wicket.request.mapper.CryptoMapper[2] > instead: > > // MyWebApplication.java > @Override > protected void init() > { > ... > mountPage("login", LoginPage.class); > ... > // must be last call in init() > IRequestMapper cryptoMapper = new > CryptoMapper(getRootRequestMapper(), this); > setRootRequestMapper(cryptoMapper); > } > > While this solves the CSRF problem, there is a big issue with this: there > is no longer a page mapped to "login". If this were a quickstart, > http://localhost:8080/login gives a 404. > > In wicket 1.4, LoginPage would be accessible via http://localhost:8080/login, > and any other page similarly mounted would give a friendly URL if you > landed on it. The only time anything would be encrypted would be during > form posts, which was perfect because that was the only time I'd need it. > > In wicket 1.5, is there a way to bring this behavior back? Or am I doing > something wrong? Or is there another recommended way of protecting against > CSRF attacks? > > Thanks for any help, > > - Dan > > [1] > From comments in https://issues.apache.org/jira/browse/WICKET-1885 > [2] > https://cwiki.apache.org/WICKET/migration-to-wicket-15.html#MigrationtoWicket1.5-Listofrenamedclassesandmethods -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org