Hi – I’ve been running into an issue recently and was hoping somebody might
be able to help.
We have a Wicket application (8.17.0) in which we generate a PDF using a
FileResourceStream and display in a new tab within the browser.
We have a CsrfPreventionRequestCycleListener added to our WebApplication
class for a specific origin:
getRequestCycleListeners().add(new
CsrfPreventionRequestCycleListener().addAcceptedOrigin("<accepted
origin>"));
When the file is generated, the origin request header is not added to the
request. If opening in a browser with the “Adobe Acrobat: PDF edit,
convert, sign tools” extension enabled, the request is aborted and the PDF
will not display. The below message is written to the logs:
2025-06-05 08:26:56,049 INFO o.a.w.p.h.CsrfPreventionRequestCycleListener
[CsrfPreventionRequestCycleListener.java:779] Possible CSRF attack, request
URL: <actual URL>, Origin: null, action: aborted with error 400 Origin does
not correspond to request
Below is the code for the link that generates the PDF for display in a new
tab:
Link<CustomDocument> downloadLink = new
Link<CustomDocument>("downloadLink", getModel()) {
@Override
public void onClick() {
FileResourceStream resourceStream = new FileResourceStream(new
CustomDocumentFileLoadableModel(getModelObject().getId()).getObject());
getRequestCycle().scheduleRequestHandlerAfterCurrent(new
ResourceStreamRequestHandler(resourceStream));
}
};
I’m looking to either generate the file via a resource stream with the
origin request header appended to the request or to exclude this particular
request from being evaluated by the CsrfPreventionRequestCycleListener. To
this point, I haven’t had any luck overriding isChecked(IRequestHandler
handler) to handle this scenario.
Thanks in advance for any guidance you can provide.
