Hi,
You could use global Ajax listener that adds the CSRF token to all Ajax
requests.
In YourApp#init() method do:
getAjaxRequestTargetListeners().add(new
AjaxRequestTarget.AbstractListener() {
@Override
public void updateAjaxAttributes(AbstractDefaultAjaxBehavior behavior,
AjaxRequestAttributes attributes)
{
if (attributes.getMethod() == Method.POST) {
attributes.getExtraParameters().put("CSRF-TOKEN",
theTokenTakenFromSpringSecurity);
}
}
})
I am not sure where Spring Security looks for the token in a request. If it
is not possible via request parameter then you can use
AjaxCallListener#beforeSend() to put it in the headers.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Wed, Oct 5, 2016 at 10:53 AM, mr <maliros1...@gmail.com> wrote:
> hi,
>
> If I remove <sec:csrf disabled="true"/> tag(because I need csrf protection
> in my app)
> I'm getting exception when pressing the button in my login page:
> "Wicket.Ajax.Call.failure: Error while parsing response: Could not verify
> the provided CSRF token because your session was not found"
> Wicket version-6.24.0
> Spring-security version- 4.1.3
>
> Can someone help me?
>
> --
> View this message in context: http://apache-wicket.1842946.
> n4.nabble.com/Wicket-Spring-4-integration-tp4672031p4675645.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
