Hi all,
Starting from [this][1] question on stackoverflow, I'm going to ask one
thing more.
I've developed a web application in which Apache Wicket plays as "REST
backend", it only exposes HTTP Resources, there is an application and
there are no pages, and no html related.
All "frontend" is developed in AngularJS.
Now, I need protection against CSRF attacks. AngularJS documentation says:
To take advantage of this [angular XSRF protection], your server needs to set a
token in a
JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET
request. On subsequent non-GET requests the server can verify that the
cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
only JavaScript running on your domain could have read the token.
How can I get this token managed by Apache Wicket?
Are there wicket implementations of such mechanism?
I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect
all requests, it seems to be configured (by default) only to protect
ajax requests on components or links; or /*CryptoMapper*/ with
/*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what
I'm looking for.
I "just" want to send a token, not to crypt urls, but if guarantees the
same protection I'll do.
I've not found so much on documentation, can you help me?
[1]:
http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer
Best regards,
Andrea
