It works for us, but we are not using *CryptMapper's ...
On Tue, Sep 19, 2017 at 7:49 PM, Wayne W <waynemailingli...@gmail.com> wrote:
> Hi,
>
> does anyone else have an ideas whats I could do here. Is there anyone out
> there who's successfully got the CSRF protection up and running in
> production?
>
> On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com>
> wrote:
>
>> Thanks Martin,
>>
>> so I've used this:
>>
>> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
>> KeyInSessionSunJceCryptFactory()));
>>
>>
>> public class PostUrlCryptMapper extends CryptoMapper {
>>
>> /**
>>
>> * @param wrappedMapper
>>
>> * @param cryptFactory
>>
>> */
>>
>> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
>>
>> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
>>
>> final KeyInSessionSunJceCryptFactory
>> cryptFactory) {
>>
>> super(wrappedMapper, new IProvider<ICrypt>() {
>>
>> @Override
>>
>> public ICrypt get() {
>>
>> return cryptFactory.newCrypt();
>>
>> }
>>
>> });
>>
>> }
>>
>>
>> public Url mapHandler(final IRequestHandler requestHandler)
>>
>> {
>>
>> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
>>
>> return super.mapHandler(requestHandler);
>>
>> } else {
>>
>> return getDelegateMapper().mapHandler(requestHandler);
>>
>> }
>>
>> }
>>
>>
>> public IRequestHandler mapRequest(final Request request)
>>
>> {
>>
>> final IRequestHandler requestHandler = getDelegateMapper().
>> mapRequest(request);
>>
>> if (requestHandler == null) {
>>
>> return super.mapRequest(request);
>>
>> }
>>
>> return requestHandler;
>>
>> }
>>
>>
>> /**
>>
>> * Returns true, whether the attached component to
>> ListenerInterfaceRequestHandler is in form container.
>>
>> * @param requestHandler
>>
>> * @return
>>
>> */
>>
>> private boolean isFormListenerInterfaceRequestHandler(final
>> IRequestHandler requestHandler) {
>>
>> if (requestHandler instanceof ListenerInterfaceRequestHandler) {
>>
>> ListenerInterfaceRequestHandler
>> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
>> requestHandler;
>>
>> IRequestableComponent c = listenerInterfaceRequestHandler
>> .getComponent();
>>
>> if (c instanceof Form) {
>>
>> log.info("Form found!");
>>
>> return true;
>>
>> }
>>
>> }
>>
>> // else if (requestHandler instanceof
>> BookmarkableListenerInterfaceRequestHandler) {
>>
>> // BookmarkableListenerInterfaceRequestHandler handler = (
>> BookmarkableListenerInterfaceRequestHandler) requestHandler;
>>
>> // IRequestableComponent c = handler.getComponent();
>>
>> // if (c instanceof Form) {
>>
>> // log.info("Form found!");
>>
>> // return true;
>>
>> // }
>>
>> // }
>>
>>
>>
>>
>>
>>
>> return false;
>>
>> }
>>
>> }
>>
>>
>> However what I am finding is that any form on a stateless/bookmarkable
>> page are not being encrypted. I tried to work around this with the section
>> of code thats commented out (BookmarkableListenerInterfaceRequestHandler)
>> . This then encrypts the form action fine, but then I get 2 bits of odd
>> behaviour:
>>
>>
>> - On pages that are bookmarkable, if there is a constructor that has
>> PageParameters, the page is just recreated and the submit is ignored (when
>> pressing submit).If I remove the PageParameter constructor then it works
>> fine.
>>
>> - On stateless pages , again when submitting the form it just recreates
>> the page
>>
>>
>> public class SomeLoginPage extends WebPage {
>>
>>
>> public SomeLoginPage() {
>>
>> setStatelessHint(true);
>>
>> add(new FeedbackPanel("feedback"));
>>
>> add(new SignInForm("signInForm").setOutputMarkupId(false));
>>
>>
>> }
>>
>>
>> public final class SignInForm extends StatelessForm<ValueMap> {
>>
>>
>> public SignInForm(final String id) {
>>
>> super(id, new CompoundPropertyModel<ValueMap>(new ValueMap()));
>>
>>
>> add(new TextField<String>("username").setOutputMarkupId(false));
>>
>> add(new PasswordTextField("password").setOutputMarkupId(false));
>>
>> }
>>
>>
>> /**
>>
>> *
>>
>> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
>>
>> */
>>
>>
>> public void onSubmit() {
>>
>> ValueMap values = getModelObject();
>>
>> String username = values.getString("username");
>>
>> String password = values.getString("password");
>>
>>
>> if (signIn(username, password)) {
>>
>> ((HubSession) Session.get()).setAdminAthenticated(true);
>>
>> ContextUtil.get().setUser(null);
>>
>>
>> setResponsePage(CompanyAdminPage.class);
>>
>>
>> } else {
>>
>> // Try the component based localizer first. If not found try the
>>
>> // application localizer. Else use the default
>>
>> error(getLocalizer().getString("exception.login", this, "Illegal username
>> password combo"));
>>
>> }
>>
>> }
>>
>>
>> private boolean signIn(String username, String password) {
>>
>> // TODO authentication
>>
>> return false;
>>
>> }
>>
>>
>> }
>>
>>
>> }
>>
>>
>>
>> Any ideas?
>>
>>
>>
>> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org>
>> wrote:
>>
>>> org.apache.wicket.core.request.handler.ListenerInterfaceRequ
>>> estHandler#getComponent()
>>> instanceOf Form
>>>
>>> Martin Grigorov
>>> Wicket Training and Consulting
>>> https://twitter.com/mtgrigorov
>>>
>>> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com>
>>> wrote:
>>>
>>> > Thanks Martin,
>>> >
>>> > how can I tell for example if the IPageClassRequestHandler or
>>> > ListenerInterfaceRequestHandler is for a form?
>>> >
>>> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org>
>>> > wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > I don't use any of these so I have no much experience in production
>>> with
>>> > > them!
>>> > >
>>> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com
>>> >
>>> > > wrote:
>>> > >
>>> > > > Hi,
>>> > > >
>>> > > > I've been trying to use CsrfPreventionRequestCycleListener in
>>> > > production.
>>> > > > However we are seeing in the logs that about 30 times a day we get
>>> the
>>> > > > request aborted because the clients browsers are not sending the
>>> > referrer
>>> > > > header sometimes. Doing some research it seems we cannot rely on the
>>> > > > clients browser to send the referrer and it could be somewhat buggy
>>> in
>>> > > > older browsers.
>>> > > >
>>> > > > Does anyone else experience this trouble?
>>> > > >
>>> > > > Are there any alternatives?
>>> > > >
>>> > > > I did try:
>>> > > >
>>> > > > getSecuritySettings().setCryptFactory(new
>>> > KeyInSessionSunJceCryptFactory
>>> > > > ());
>>> > > >
>>> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap
>>> perAsCompound
>>> > (),
>>> > > > this));
>>> > > >
>>> > > > However this encrypts everything (resources, urls, etc). Is there a
>>> way
>>> > > of
>>> > > > just encrypting say forms and links or something?
>>> > > >
>>> > >
>>> > > You can override CryptoMapper#mapHandler() and call super.mapHandler()
>>> > only
>>> > > when the IRequestHandler is not an instance of
>>> IPageClassRequestHandler
>>> > or
>>> > > only when it is ListenerInterfaceRequestHandler.
>>> > >
>>> > >
>>> > > >
>>> > > > Anyone got a solution that works for them in production?
>>> > > >
>>> > > > many thanks
>>> > > >
>>> > >
>>> >
>>>
>>
>>
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
