Hi, Your app fails to start due to: WARN - AbstractLifeCycle - FAILED org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d: java.lang.IllegalStateException: No LoginService for org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d java.lang.IllegalStateException: No LoginService for org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d at org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:44) at org.eclipse.jetty.security.authentication.FormAuthenticator.setConfiguration(FormAuthenticator.java:103) ...
I see it is prepared for JBoss. I tried to run it with Jetty's Start.java. Add getSession().bind() before checking the ids. On Tue, May 28, 2013 at 11:51 AM, Magnus K Karlsson < [email protected]> wrote: > That is what I'm trying to do. I have created a simple Apach Wicket 6.8.0 > project. I have attached it. I'm not sure if it will be posted to list. > > public class WicketApplication extends WebApplication { > ... > public void init() { > super.init(); > IRequestMapper cryptoMapper; > cryptoMapper = new CryptoMapper(getRootRequestMapper(), this); > setRootRequestMapper(cryptoMapper); > } > > public final HttpServletRequest getHttpServletRequest() { > return (HttpServletRequest) getRequest().getContainerRequest(); > } > > protected final Request getRequest() { > RequestCycle requestCycle = RequestCycle.get(); > if (requestCycle == null) { > throw new WicketRuntimeException( > "No RequestCycle is currently set!"); > } > return requestCycle.getRequest(); > } > } > > I have two simple web pages that prints Session Id > > public class ListPersons extends WebPage { > > private static final long serialVersionUID = 1L; > > public ListPersons(final PageParameters parameters) { > super(parameters); > > add(new Label("label1", getSession().getId())); > > add(new Label("label2", > WicketApplication.get().getHttpServletRequest() > .getSession().getId())); > } > > I have enabled security, but I'm not sure If that is neccessary, I only > want to make sure that I a HTTP Session is created and that they are > different for the two browser. > > I have two browser Firefox and Chrome. > 1. I login in the first browser. I can see that I get a session Id. > 2. Then copying the URL from browser 1 into browser two. > 3. And I can open it with the pasted URL. And a new session id is created. > > Does this not work on bookmarkable pages? Both my pages have the following > constructors. > > > 2013/5/28 Martin Grigorov <[email protected]> > >> On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson < >> [email protected]> wrote: >> >> > Thanks for your fast reply! >> > >> > I have tested CryptoMapper, but as far as I can see the CryptoMapper >> does >> > not return unique URL for each session, as suggested by OWASP >> > >> >> The session id is used to encrypt/decrypt the url segment. >> If you make a request with encrypted url from a new browser it won't let >> you in. >> >> >> > >> > "The synchronizer token pattern requires the generating of random >> > "challenge" tokens that are associated with the user's current session." >> > >> > Is this correct? >> > >> > if yes, is there any way to accomplish this? >> > >> > >> > 2013/5/28 Martin Grigorov <[email protected]> >> > >> > > Hi, >> > > >> > > >> > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson < >> > > [email protected]> wrote: >> > > >> > > > Hi, >> > > > >> > > > I'm looking for protection against CSRF and found and old issue for >> > > Apache >> > > > Wicket 1.3.4. >> > > > >> > > > https://issues.apache.org/jira/browse/WICKET-1782 >> > > > >> > > > And as far as have understood the Apache Wicket does not support >> > > > Synchronizer Token Pattern, as suggested at >> > > > >> > > > >> > > > >> > > >> > >> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet >> > > > >> > > > but did in Apache Wicket 1.3 supported >> > > CryptedUrlWebRequestCodingStrategy, >> > > > So now my question. >> > > > >> > > > - Does Apache Wicket 6 support CryptedUrlWebRequestCodingStrategy? >> > Cannot >> > > > find the CryptedUrlWebRequestCodingStrategy class? If the class have >> > been >> > > > renamed, please submit an example how to use this new class. >> > > > >> > > >> > > IRequestCodingStrategy has been reworked to IRequestMapper in Wicket >> > 1.5.0. >> > > The class you need is CryptoMapper. >> > > Please have a look at >> > > >> > > >> > >> https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper >> > > >> > > >> > > > >> > > > - Does Apache Wicket 6 support any other solution to hinder CSRF? >> > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Med vänliga hälsningar >> > > > Magnus K Karlsson >> > > > >> > > > Mobile: +46 (0)70 218 00 84 >> > > > Email: [email protected] >> > > > Blog: magnus-k-karlsson.blogspot.com >> > > > >> > > >> > >> > >> > >> > -- >> > Med vänliga hälsningar >> > Magnus K Karlsson >> > >> > Mobile: +46 (0)70 218 00 84 >> > Email: [email protected] >> > Blog: magnus-k-karlsson.blogspot.com >> > >> > > > > -- > Med vänliga hälsningar > Magnus K Karlsson > > Mobile: +46 (0)70 218 00 84 > Email: [email protected] > Blog: magnus-k-karlsson.blogspot.com > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
