I might be overlooking something, but I doubt whether you need it, as
submissions to pages already are safe. It's very unlikely other's can
guess session relative URLs (like <form
action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
But if you want more security you can implement your own request
coding strategy, or e.g. use something like
CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
me than implementing special purpose functionality in forms.
Eelco
On 5/7/07, Bruno Borges <[EMAIL PROTECTED]> wrote:
Isn't this already implemented in Wicket's Core?
--
Bruno Borges
Summa Technologies Inc.
www.summa-tech.com
(48) 8404-1300
(11) 3055-2060
On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
>
> I am looking at making a version of the Form component that supports the
> "action token" pattern for securing forms against cross-site request
> forgery
> (XSRF) and cross-site script includes (XSSI). The basic idea is to have
> the
> form generate a unique id that must be submitted along with the form. This
> verifies that the form was not forged and generated outside of the
> application.
>
> I would love your input as to whether this will work (I am not an expert
> on
> all the versioning and pagemap stuff yet, but I think the form should
> always
> be submitted to the same instance regardless of back button, etc.) and
> whether this should be part of the base form component.
>
> Below is the version of the form that I have created. The verification of
> the token happens in an overriden validate() method. I would have
> preferred
> to override onFormSubmitted, but it is marked as final (at least in
> 1.2.5which is what I am using). In
> 2.0 there appears to be "fake submit" handling, but it is not clear how
> this
> should work. If this is already being handled, let me know...
>
> Thanks for your time.
>
>
> public class SecureForm extends Form
> {
>
> private final transient Logger logger = LoggerFactory.getLogger(
> SecureForm.class);
>
> private String actionToken;
>
> public SecureForm(final String id) {
> this(id, null);
> }
>
> public SecureForm(final String id, IModel model)
> {
> super(id, model);
>
> //generate a unique action token stored with this form
> actionToken = UUID.randomUUID().toString();
> }
>
> @Override
> protected void onComponentTagBody(final MarkupStream markupStream,
> final
> ComponentTag openTag)
> {
> // render the hidden field
> AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> style=\"display:none\"><input type=\"hidden\" name=\"");
> buffer.append(getActionTokenHiddenFieldId())
> .append("\" id=\"")
> .append(getActionTokenHiddenFieldId())
> .append("\" value=\"")
> .append(actionToken)
> .append("\" /></div>");
> getResponse().write(buffer);
>
> // do the rest of the processing
> super.onComponentTagBody(markupStream, openTag);
> }
>
> @Override
> protected void validate() {
> //verify that the token was provided
> String token =
> getRequest().getParameter(getActionTokenHiddenFieldId());
>
> if (!actionToken.equals(token)) {
> logger.warn("Attempted unauthorized form submission.");
> throw new UnauthorizedActionException(this, new Action("
> SECUREFORM.SUBMIT"));
> }
>
> super.validate();
> }
>
> private String getActionTokenHiddenFieldId() {
> return "_actiontoken";
> }
> }
>
