Use the CsrfPreventionRequestCycleListener. It checks the origin header and prevents requests from untrusted origins, which the cryptomapper doesn't do. That just encrypts the URLs, making them hard to guess, but doesn't prevent anyone from calling such an URL from a different origin.
Martijn On Fri, Oct 30, 2015 at 4:41 PM, Mihir Chhaya <mihir.chh...@gmail.com> wrote: > Hello, > > I have read Wicket CSRF related posts on wicket forum before posting this > question. > I could not find one with detail I am looking for. If I have missed any, > please redirect me to the link. > > I am looking into CSRF and Wicket 7 default settings. Everything seems fine > with use of CryptoMapper (which by default uses > KeyInSessionSunJceCryptFactory) to handle CSRF attack. > > But I am not sure if Wicket still prevents against CSRF if CryptoMapper is > not used. Does default mapper inherently uses > KeyInSessionSunJceCryptFactory? The documentation says > KeyInSessionSunJceCryptFactory is default only for ICrypt implementation > objects. If not, then should one use CsrfPreventionRequestCycleListener? > > If default anti-CSRF is already set like CryptoMapper, which Wicket source > class I can look into for > better understanding? > > Thanks in advance, > -Mihir. -- Become a Wicket expert, learn from the best: http://wicketinaction.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
