Hi Maxim, what are you using? CsrfPreventionRequestCycleListener? On Tue, Sep 19, 2017 at 2:23 PM, Maxim Solodovnik <solomax...@gmail.com> wrote:
> It works for us, but we are not using *CryptMapper's ... > > On Tue, Sep 19, 2017 at 7:49 PM, Wayne W <waynemailingli...@gmail.com> > wrote: > > Hi, > > > > does anyone else have an ideas whats I could do here. Is there anyone out > > there who's successfully got the CSRF protection up and running in > > production? > > > > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com> > > wrote: > > > >> Thanks Martin, > >> > >> so I've used this: > >> > >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new > >> KeyInSessionSunJceCryptFactory())); > >> > >> > >> public class PostUrlCryptMapper extends CryptoMapper { > >> > >> /** > >> > >> * @param wrappedMapper > >> > >> * @param cryptFactory > >> > >> */ > >> > >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); > >> > >> public PostUrlCryptMapper(IRequestMapper wrappedMapper, > >> > >> final KeyInSessionSunJceCryptFactory > >> cryptFactory) { > >> > >> super(wrappedMapper, new IProvider<ICrypt>() { > >> > >> @Override > >> > >> public ICrypt get() { > >> > >> return cryptFactory.newCrypt(); > >> > >> } > >> > >> }); > >> > >> } > >> > >> > >> public Url mapHandler(final IRequestHandler requestHandler) > >> > >> { > >> > >> if (isFormListenerInterfaceRequestHandler(requestHandler)) { > >> > >> return super.mapHandler(requestHandler); > >> > >> } else { > >> > >> return getDelegateMapper().mapHandler(requestHandler); > >> > >> } > >> > >> } > >> > >> > >> public IRequestHandler mapRequest(final Request request) > >> > >> { > >> > >> final IRequestHandler requestHandler = getDelegateMapper(). > >> mapRequest(request); > >> > >> if (requestHandler == null) { > >> > >> return super.mapRequest(request); > >> > >> } > >> > >> return requestHandler; > >> > >> } > >> > >> > >> /** > >> > >> * Returns true, whether the attached component to > >> ListenerInterfaceRequestHandler is in form container. > >> > >> * @param requestHandler > >> > >> * @return > >> > >> */ > >> > >> private boolean isFormListenerInterfaceRequestHandler(final > >> IRequestHandler requestHandler) { > >> > >> if (requestHandler instanceof ListenerInterfaceRequestHandler) > { > >> > >> ListenerInterfaceRequestHandler > >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) > >> requestHandler; > >> > >> IRequestableComponent c = listenerInterfaceRequestHandler > >> .getComponent(); > >> > >> if (c instanceof Form) { > >> > >> log.info("Form found!"); > >> > >> return true; > >> > >> } > >> > >> } > >> > >> // else if (requestHandler instanceof > >> BookmarkableListenerInterfaceRequestHandler) { > >> > >> // BookmarkableListenerInterfaceRequestHandler handler = ( > >> BookmarkableListenerInterfaceRequestHandler) requestHandler; > >> > >> // IRequestableComponent c = handler.getComponent(); > >> > >> // if (c instanceof Form) { > >> > >> // log.info("Form found!"); > >> > >> // return true; > >> > >> // } > >> > >> // } > >> > >> > >> > >> > >> > >> > >> return false; > >> > >> } > >> > >> } > >> > >> > >> However what I am finding is that any form on a stateless/bookmarkable > >> page are not being encrypted. I tried to work around this with the > section > >> of code thats commented out (BookmarkableListenerInterfaceR > equestHandler) > >> . This then encrypts the form action fine, but then I get 2 bits of odd > >> behaviour: > >> > >> > >> - On pages that are bookmarkable, if there is a constructor that has > >> PageParameters, the page is just recreated and the submit is ignored > (when > >> pressing submit).If I remove the PageParameter constructor then it works > >> fine. > >> > >> - On stateless pages , again when submitting the form it just recreates > >> the page > >> > >> > >> public class SomeLoginPage extends WebPage { > >> > >> > >> public SomeLoginPage() { > >> > >> setStatelessHint(true); > >> > >> add(new FeedbackPanel("feedback")); > >> > >> add(new SignInForm("signInForm").setOutputMarkupId(false)); > >> > >> > >> } > >> > >> > >> public final class SignInForm extends StatelessForm<ValueMap> { > >> > >> > >> public SignInForm(final String id) { > >> > >> super(id, new CompoundPropertyModel<ValueMap>(new ValueMap())); > >> > >> > >> add(new TextField<String>("username").setOutputMarkupId(false)); > >> > >> add(new PasswordTextField("password").setOutputMarkupId(false)); > >> > >> } > >> > >> > >> /** > >> > >> * > >> > >> * @see org.apache.wicket.markup.html.form.Form#onSubmit() > >> > >> */ > >> > >> > >> public void onSubmit() { > >> > >> ValueMap values = getModelObject(); > >> > >> String username = values.getString("username"); > >> > >> String password = values.getString("password"); > >> > >> > >> if (signIn(username, password)) { > >> > >> ((HubSession) Session.get()).setAdminAthenticated(true); > >> > >> ContextUtil.get().setUser(null); > >> > >> > >> setResponsePage(CompanyAdminPage.class); > >> > >> > >> } else { > >> > >> // Try the component based localizer first. If not found try the > >> > >> // application localizer. Else use the default > >> > >> error(getLocalizer().getString("exception.login", this, "Illegal > username > >> password combo")); > >> > >> } > >> > >> } > >> > >> > >> private boolean signIn(String username, String password) { > >> > >> // TODO authentication > >> > >> return false; > >> > >> } > >> > >> > >> } > >> > >> > >> } > >> > >> > >> > >> Any ideas? > >> > >> > >> > >> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org> > >> wrote: > >> > >>> org.apache.wicket.core.request.handler.ListenerInterfaceRequ > >>> estHandler#getComponent() > >>> instanceOf Form > >>> > >>> Martin Grigorov > >>> Wicket Training and Consulting > >>> https://twitter.com/mtgrigorov > >>> > >>> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com> > >>> wrote: > >>> > >>> > Thanks Martin, > >>> > > >>> > how can I tell for example if the IPageClassRequestHandler or > >>> > ListenerInterfaceRequestHandler is for a form? > >>> > > >>> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov < > mgrigo...@apache.org> > >>> > wrote: > >>> > > >>> > > Hi, > >>> > > > >>> > > I don't use any of these so I have no much experience in production > >>> with > >>> > > them! > >>> > > > >>> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W < > waynemailingli...@gmail.com > >>> > > >>> > > wrote: > >>> > > > >>> > > > Hi, > >>> > > > > >>> > > > I've been trying to use CsrfPreventionRequestCycleListener in > >>> > > production. > >>> > > > However we are seeing in the logs that about 30 times a day we > get > >>> the > >>> > > > request aborted because the clients browsers are not sending the > >>> > referrer > >>> > > > header sometimes. Doing some research it seems we cannot rely on > the > >>> > > > clients browser to send the referrer and it could be somewhat > buggy > >>> in > >>> > > > older browsers. > >>> > > > > >>> > > > Does anyone else experience this trouble? > >>> > > > > >>> > > > Are there any alternatives? > >>> > > > > >>> > > > I did try: > >>> > > > > >>> > > > getSecuritySettings().setCryptFactory(new > >>> > KeyInSessionSunJceCryptFactory > >>> > > > ()); > >>> > > > > >>> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap > >>> perAsCompound > >>> > (), > >>> > > > this)); > >>> > > > > >>> > > > However this encrypts everything (resources, urls, etc). Is > there a > >>> way > >>> > > of > >>> > > > just encrypting say forms and links or something? > >>> > > > > >>> > > > >>> > > You can override CryptoMapper#mapHandler() and call > super.mapHandler() > >>> > only > >>> > > when the IRequestHandler is not an instance of > >>> IPageClassRequestHandler > >>> > or > >>> > > only when it is ListenerInterfaceRequestHandler. > >>> > > > >>> > > > >>> > > > > >>> > > > Anyone got a solution that works for them in production? > >>> > > > > >>> > > > many thanks > >>> > > > > >>> > > > >>> > > >>> > >> > >> > > > > -- > WBR > Maxim aka solomax > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >