Thanks for your fast reply! I have tested CryptoMapper, but as far as I can see the CryptoMapper does not return unique URL for each session, as suggested by OWASP
"The synchronizer token pattern requires the generating of random "challenge" tokens that are associated with the user's current session." Is this correct? if yes, is there any way to accomplish this? 2013/5/28 Martin Grigorov <[email protected]> > Hi, > > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson < > [email protected]> wrote: > > > Hi, > > > > I'm looking for protection against CSRF and found and old issue for > Apache > > Wicket 1.3.4. > > > > https://issues.apache.org/jira/browse/WICKET-1782 > > > > And as far as have understood the Apache Wicket does not support > > Synchronizer Token Pattern, as suggested at > > > > > > > https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet > > > > but did in Apache Wicket 1.3 supported > CryptedUrlWebRequestCodingStrategy, > > So now my question. > > > > - Does Apache Wicket 6 support CryptedUrlWebRequestCodingStrategy? Cannot > > find the CryptedUrlWebRequestCodingStrategy class? If the class have been > > renamed, please submit an example how to use this new class. > > > > IRequestCodingStrategy has been reworked to IRequestMapper in Wicket 1.5.0. > The class you need is CryptoMapper. > Please have a look at > > https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper > > > > > > - Does Apache Wicket 6 support any other solution to hinder CSRF? > > > > > > > > > > -- > > Med vänliga hälsningar > > Magnus K Karlsson > > > > Mobile: +46 (0)70 218 00 84 > > Email: [email protected] > > Blog: magnus-k-karlsson.blogspot.com > > > -- Med vänliga hälsningar Magnus K Karlsson Mobile: +46 (0)70 218 00 84 Email: [email protected] Blog: magnus-k-karlsson.blogspot.com
