That works, thanks!
On Tue, Dec 6, 2011 at 1:06 AM, Martin Grigorov <[email protected]>wrote: > Hi, > > See https://issues.apache.org/jira/browse/WICKET-4140 > There is a quickstart that shows how to do it. > > On Mon, Dec 5, 2011 at 11:40 PM, Dan Alvizu <[email protected]> > wrote: > > Hello, > > > > I'm migrating from wicket 1.4 to 1.5 and I am looking to port the cross > > site request forgery (CSRF) protection from wicket 1.4. > > > > In 1.4, the recommended way[1] is to use > CryptedUrlWebRequestCodingStrategy: > > > > // MyWebApplication.java > > > > @Override > > protected IRequestCycleProcessor newRequestCycleProcessor() > > { > > return new WebRequestCycleProcessor() > > { > > protected IRequestCodingStrategy newRequestCodingStrategy() > > { > > return new CryptedUrlWebRequestCodingStrategy(new > > WebRequestCodingStrategy()); > > } > > }; > > } > > > > In 1.5, this has been removed and we're asked to use > > org.apache.wicket.request.mapper.CryptoMapper[2] > > instead: > > > > // MyWebApplication.java > > @Override > > protected void init() > > { > > ... > > mountPage("login", LoginPage.class); > > ... > > // must be last call in init() > > IRequestMapper cryptoMapper = new > > CryptoMapper(getRootRequestMapper(), this); > > setRootRequestMapper(cryptoMapper); > > } > > > > While this solves the CSRF problem, there is a big issue with this: there > > is no longer a page mapped to "login". If this were a quickstart, > > http://localhost:8080/login gives a 404. > > > > In wicket 1.4, LoginPage would be accessible via > http://localhost:8080/login, > > and any other page similarly mounted would give a friendly URL if you > > landed on it. The only time anything would be encrypted would be during > > form posts, which was perfect because that was the only time I'd need it. > > > > In wicket 1.5, is there a way to bring this behavior back? Or am I doing > > something wrong? Or is there another recommended way of protecting > against > > CSRF attacks? > > > > Thanks for any help, > > > > - Dan > > > > [1] > > From comments in https://issues.apache.org/jira/browse/WICKET-1885 > > [2] > > > https://cwiki.apache.org/WICKET/migration-to-wicket-15.html#MigrationtoWicket1.5-Listofrenamedclassesandmethods > > > > -- > Martin Grigorov > jWeekend > Training, Consulting, Development > http://jWeekend.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
