Hi Maxim, what are you using? CsrfPreventionRequestCycleListener?
On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnik <solomax...@gmail.com>
wrote:
> It works for us, but we are not using *CryptMapper's ...
>
> On Tue, Sep 19, 2017 at 7:49 PM, Wayne W <waynemailingli...@gmail.com>
> wrote:
> > Hi,
> >
> > does anyone else have an ideas whats I could do here. Is there anyone out
> > there who's successfully got the CSRF protection up and running in
> > production?
> >
> > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com>
> > wrote:
> >
> >> Thanks Martin,
> >>
> >> so I've used this:
> >>
> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
> >> KeyInSessionSunJceCryptFactory()));
> >>
> >>
> >> public class PostUrlCryptMapper extends CryptoMapper {
> >>
> >> /**
> >>
> >> * @param wrappedMapper
> >>
> >> * @param cryptFactory
> >>
> >> */
> >>
> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
> >>
> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper,
> >>
> >> final KeyInSessionSunJceCryptFactory
> >> cryptFactory) {
> >>
> >> super(wrappedMapper, new IProvider<ICrypt>() {
> >>
> >> @Override
> >>
> >> public ICrypt get() {
> >>
> >> return cryptFactory.newCrypt();
> >>
> >> }
> >>
> >> });
> >>
> >> }
> >>
> >>
> >> public Url mapHandler(final IRequestHandler requestHandler)
> >>
> >> {
> >>
> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) {
> >>
> >> return super.mapHandler(requestHandler);
> >>
> >> } else {
> >>
> >> return getDelegateMapper().mapHandler(requestHandler);
> >>
> >> }
> >>
> >> }
> >>
> >>
> >> public IRequestHandler mapRequest(final Request request)
> >>
> >> {
> >>
> >> final IRequestHandler requestHandler = getDelegateMapper().
> >> mapRequest(request);
> >>
> >> if (requestHandler == null) {
> >>
> >> return super.mapRequest(request);
> >>
> >> }
> >>
> >> return requestHandler;
> >>
> >> }
> >>
> >>
> >> /**
> >>
> >> * Returns true, whether the attached component to
> >> ListenerInterfaceRequestHandler is in form container.
> >>
> >> * @param requestHandler
> >>
> >> * @return
> >>
> >> */
> >>
> >> private boolean isFormListenerInterfaceRequestHandler(final
> >> IRequestHandler requestHandler) {
> >>
> >> if (requestHandler instanceof ListenerInterfaceRequestHandler)
> {
> >>
> >> ListenerInterfaceRequestHandler
> >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
> >> requestHandler;
> >>
> >> IRequestableComponent c = listenerInterfaceRequestHandler
> >> .getComponent();
> >>
> >> if (c instanceof Form) {
> >>
> >> log.info("Form found!");
> >>
> >> return true;
> >>
> >> }
> >>
> >> }
> >>
> >> // else if (requestHandler instanceof
> >> BookmarkableListenerInterfaceRequestHandler) {
> >>
> >> // BookmarkableListenerInterfaceRequestHandler handler = (
> >> BookmarkableListenerInterfaceRequestHandler) requestHandler;
> >>
> >> // IRequestableComponent c = handler.getComponent();
> >>
> >> // if (c instanceof Form) {
> >>
> >> // log.info("Form found!");
> >>
> >> // return true;
> >>
> >> // }
> >>
> >> // }
> >>
> >>
> >>
> >>
> >>
> >>
> >> return false;
> >>
> >> }
> >>
> >> }
> >>
> >>
> >> However what I am finding is that any form on a stateless/bookmarkable
> >> page are not being encrypted. I tried to work around this with the
> section
> >> of code thats commented out (BookmarkableListenerInterfaceR
> equestHandler)
> >> . This then encrypts the form action fine, but then I get 2 bits of odd
> >> behaviour:
> >>
> >>
> >> - On pages that are bookmarkable, if there is a constructor that has
> >> PageParameters, the page is just recreated and the submit is ignored
> (when
> >> pressing submit).If I remove the PageParameter constructor then it works
> >> fine.
> >>
> >> - On stateless pages , again when submitting the form it just recreates
> >> the page
> >>
> >>
> >> public class SomeLoginPage extends WebPage {
> >>
> >>
> >> public SomeLoginPage() {
> >>
> >> setStatelessHint(true);
> >>
> >> add(new FeedbackPanel("feedback"));
> >>
> >> add(new SignInForm("signInForm").setOutputMarkupId(false));
> >>
> >>
> >> }
> >>
> >>
> >> public final class SignInForm extends StatelessForm<ValueMap> {
> >>
> >>
> >> public SignInForm(final String id) {
> >>
> >> super(id, new CompoundPropertyModel<ValueMap>(new ValueMap()));
> >>
> >>
> >> add(new TextField<String>("username").setOutputMarkupId(false));
> >>
> >> add(new PasswordTextField("password").setOutputMarkupId(false));
> >>
> >> }
> >>
> >>
> >> /**
> >>
> >> *
> >>
> >> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
> >>
> >> */
> >>
> >>
> >> public void onSubmit() {
> >>
> >> ValueMap values = getModelObject();
> >>
> >> String username = values.getString("username");
> >>
> >> String password = values.getString("password");
> >>
> >>
> >> if (signIn(username, password)) {
> >>
> >> ((HubSession) Session.get()).setAdminAthenticated(true);
> >>
> >> ContextUtil.get().setUser(null);
> >>
> >>
> >> setResponsePage(CompanyAdminPage.class);
> >>
> >>
> >> } else {
> >>
> >> // Try the component based localizer first. If not found try the
> >>
> >> // application localizer. Else use the default
> >>
> >> error(getLocalizer().getString("exception.login", this, "Illegal
> username
> >> password combo"));
> >>
> >> }
> >>
> >> }
> >>
> >>
> >> private boolean signIn(String username, String password) {
> >>
> >> // TODO authentication
> >>
> >> return false;
> >>
> >> }
> >>
> >>
> >> }
> >>
> >>
> >> }
> >>
> >>
> >>
> >> Any ideas?
> >>
> >>
> >>
> >> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org>
> >> wrote:
> >>
> >>> org.apache.wicket.core.request.handler.ListenerInterfaceRequ
> >>> estHandler#getComponent()
> >>> instanceOf Form
> >>>
> >>> Martin Grigorov
> >>> Wicket Training and Consulting
> >>> https://twitter.com/mtgrigorov
> >>>
> >>> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com>
> >>> wrote:
> >>>
> >>> > Thanks Martin,
> >>> >
> >>> > how can I tell for example if the IPageClassRequestHandler or
> >>> > ListenerInterfaceRequestHandler is for a form?
> >>> >
> >>> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <
> mgrigo...@apache.org>
> >>> > wrote:
> >>> >
> >>> > > Hi,
> >>> > >
> >>> > > I don't use any of these so I have no much experience in production
> >>> with
> >>> > > them!
> >>> > >
> >>> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <
> waynemailingli...@gmail.com
> >>> >
> >>> > > wrote:
> >>> > >
> >>> > > > Hi,
> >>> > > >
> >>> > > > I've been trying to use CsrfPreventionRequestCycleListener in
> >>> > > production.
> >>> > > > However we are seeing in the logs that about 30 times a day we
> get
> >>> the
> >>> > > > request aborted because the clients browsers are not sending the
> >>> > referrer
> >>> > > > header sometimes. Doing some research it seems we cannot rely on
> the
> >>> > > > clients browser to send the referrer and it could be somewhat
> buggy
> >>> in
> >>> > > > older browsers.
> >>> > > >
> >>> > > > Does anyone else experience this trouble?
> >>> > > >
> >>> > > > Are there any alternatives?
> >>> > > >
> >>> > > > I did try:
> >>> > > >
> >>> > > > getSecuritySettings().setCryptFactory(new
> >>> > KeyInSessionSunJceCryptFactory
> >>> > > > ());
> >>> > > >
> >>> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap
> >>> perAsCompound
> >>> > (),
> >>> > > > this));
> >>> > > >
> >>> > > > However this encrypts everything (resources, urls, etc). Is
> there a
> >>> way
> >>> > > of
> >>> > > > just encrypting say forms and links or something?
> >>> > > >
> >>> > >
> >>> > > You can override CryptoMapper#mapHandler() and call
> super.mapHandler()
> >>> > only
> >>> > > when the IRequestHandler is not an instance of
> >>> IPageClassRequestHandler
> >>> > or
> >>> > > only when it is ListenerInterfaceRequestHandler.
> >>> > >
> >>> > >
> >>> > > >
> >>> > > > Anyone got a solution that works for them in production?
> >>> > > >
> >>> > > > many thanks
> >>> > > >
> >>> > >
> >>> >
> >>>
> >>
> >>
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
