Re: CSRF protection and preserving page mount names

Tue, 06 Dec 2011 00:07:20 -0800 

Hi,

See https://issues.apache.org/jira/browse/WICKET-4140
There is a quickstart that shows how to do it.

On Mon, Dec 5, 2011 at 11:40 PM, Dan Alvizu <dalv...@pingidentity.com> wrote:
> Hello,
>
> I'm migrating from wicket 1.4 to 1.5 and I am looking to port the cross
> site request forgery (CSRF) protection from wicket 1.4.
>
> In 1.4, the recommended way[1] is to use CryptedUrlWebRequestCodingStrategy:
>
> // MyWebApplication.java
>
>    @Override
>    protected IRequestCycleProcessor newRequestCycleProcessor()
>    {
>        return new WebRequestCycleProcessor()
>        {
>            protected IRequestCodingStrategy newRequestCodingStrategy()
>            {
>                return new CryptedUrlWebRequestCodingStrategy(new
> WebRequestCodingStrategy());
>            }
>        };
>    }
>
> In 1.5, this has been removed and we're asked to use
> org.apache.wicket.request.mapper.CryptoMapper[2]
> instead:
>
> // MyWebApplication.java
>    @Override
>    protected void init()
>    {
>        ...
>        mountPage("login", LoginPage.class);
>        ...
>        // must be last call in init()
>        IRequestMapper cryptoMapper = new
> CryptoMapper(getRootRequestMapper(), this);
>        setRootRequestMapper(cryptoMapper);
>    }
>
> While this solves the CSRF problem, there is a big issue with this: there
> is no longer a page mapped to "login". If this were a quickstart,
> http://localhost:8080/login gives a 404.
>
> In wicket 1.4, LoginPage would be accessible via http://localhost:8080/login,
> and any other page similarly mounted would give a friendly URL if you
> landed on it. The only time anything would be encrypted would be during
> form posts, which was perfect because that was the only time I'd need it.
>
> In wicket 1.5, is there a way to bring this behavior back? Or am I doing
> something wrong? Or is there another recommended way of protecting against
> CSRF attacks?
>
> Thanks for any help,
>
> - Dan
>
> [1]
> From comments in https://issues.apache.org/jira/browse/WICKET-1885
> [2]
> https://cwiki.apache.org/WICKET/migration-to-wicket-15.html#MigrationtoWicket1.5-Listofrenamedclassesandmethods



-- 
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to