On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson < [email protected]> wrote:
> Thanks for your fast reply! > > I have tested CryptoMapper, but as far as I can see the CryptoMapper does > not return unique URL for each session, as suggested by OWASP > The session id is used to encrypt/decrypt the url segment. If you make a request with encrypted url from a new browser it won't let you in. > > "The synchronizer token pattern requires the generating of random > "challenge" tokens that are associated with the user's current session." > > Is this correct? > > if yes, is there any way to accomplish this? > > > 2013/5/28 Martin Grigorov <[email protected]> > > > Hi, > > > > > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson < > > [email protected]> wrote: > > > > > Hi, > > > > > > I'm looking for protection against CSRF and found and old issue for > > Apache > > > Wicket 1.3.4. > > > > > > https://issues.apache.org/jira/browse/WICKET-1782 > > > > > > And as far as have understood the Apache Wicket does not support > > > Synchronizer Token Pattern, as suggested at > > > > > > > > > > > > https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet > > > > > > but did in Apache Wicket 1.3 supported > > CryptedUrlWebRequestCodingStrategy, > > > So now my question. > > > > > > - Does Apache Wicket 6 support CryptedUrlWebRequestCodingStrategy? > Cannot > > > find the CryptedUrlWebRequestCodingStrategy class? If the class have > been > > > renamed, please submit an example how to use this new class. > > > > > > > IRequestCodingStrategy has been reworked to IRequestMapper in Wicket > 1.5.0. > > The class you need is CryptoMapper. > > Please have a look at > > > > > https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper > > > > > > > > > > - Does Apache Wicket 6 support any other solution to hinder CSRF? > > > > > > > > > > > > > > > -- > > > Med vänliga hälsningar > > > Magnus K Karlsson > > > > > > Mobile: +46 (0)70 218 00 84 > > > Email: [email protected] > > > Blog: magnus-k-karlsson.blogspot.com > > > > > > > > > -- > Med vänliga hälsningar > Magnus K Karlsson > > Mobile: +46 (0)70 218 00 84 > Email: [email protected] > Blog: magnus-k-karlsson.blogspot.com >
