Hi!
I am currently looking into making our Wicket applications CSRF safe.
From my understanding the CryptoMapper is the way to go, and I was able
to set it up working successfully.
There are however several mounted pages in the applications (with
WebApplication.mountPage), where the URLs should not be encrypted. This
also works fine, the CryptoMapper does not encrypt the URLs to these
pages, but that also removes the CSRF protection. E.g. if one of these
mounted pages contains a form, the URL to post back the form data is
unencrypted and vulnerable to CSRF.
My idea was to not mount pages directly, but instead mount a Page that
redirects to the actual page. That way the page is still reachable with
a static URL, but all consequent requests are properly encrypted.
So instead of:
webApplication.mountPage("login", LoginPage.class);
Something like this:
public class LoginPageRedirect extends WebPage {
protected void onInitialize() {
throw new RestartResponseException(LoginPage.class);
}
}
webApplication.mountPage("login", LoginPageRedirect.class);
I did however not find anything in the wicket API that supports this
concept and now I am wondering if there is a better way to do this, e.g.
with a server side redirect.
I would be grateful for any ideas!
Best Regards,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
