Hi, You can use CookieUtils to write the cookie. Later in each request you could use WebRequest.getHeader(String) or @HeaderParam if this is supported.
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Dec 30, 2015 at 9:31 AM, andrea <andrea.patrice...@tirasa.net> wrote: > Hi all, > > Starting from [this][1] question on stackoverflow, I'm going to ask one > thing more. > > I've developed a web application in which Apache Wicket plays as "REST > backend", it only exposes HTTP Resources, there is an application and there > are no pages, and no html related. > All "frontend" is developed in AngularJS. > > Now, I need protection against CSRF attacks. AngularJS documentation says: > > To take advantage of this [angular XSRF protection], your server needs to > set a token in a > > JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET > > request. On subsequent non-GET requests the server can verify that the > > cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that > > only JavaScript running on your domain could have read the token. > > > How can I get this token managed by Apache Wicket? > > Are there wicket implementations of such mechanism? > > I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect > all requests, it seems to be configured (by default) only to protect ajax > requests on components or links; or /*CryptoMapper*/ with > /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm > looking for. > I "just" want to send a token, not to crypt urls, but if guarantees the > same protection I'll do. > > I've not found so much on documentation, can you help me? > > > [1]: > http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer > > Best regards, > Andrea >