I am using WebURLCompressingCodingStrategy so the URLs are more compact, but
it still seems like someone could potentially fake a request because there
is only part of the URL that is session specific and not entirely random.
I will take a look at the CryptedUrlWebRequestCodingStrategy to see if that
takes care of it.
Thanks guys!!
On 5/7/07, Eelco Hillenius <[EMAIL PROTECTED]> wrote:
I might be overlooking something, but I doubt whether you need it, as
submissions to pages already are safe. It's very unlikely other's can
guess session relative URLs (like <form
action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
But if you want more security you can implement your own request
coding strategy, or e.g. use something like
CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
me than implementing special purpose functionality in forms.
Eelco
On 5/7/07, Bruno Borges <[EMAIL PROTECTED]> wrote:
> Isn't this already implemented in Wicket's Core?
>
> --
> Bruno Borges
> Summa Technologies Inc.
> www.summa-tech.com
> (48) 8404-1300
> (11) 3055-2060
>
> On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
> >
> > I am looking at making a version of the Form component that supports
the
> > "action token" pattern for securing forms against cross-site request
> > forgery
> > (XSRF) and cross-site script includes (XSSI). The basic idea is to
have
> > the
> > form generate a unique id that must be submitted along with the form.
This
> > verifies that the form was not forged and generated outside of the
> > application.
> >
> > I would love your input as to whether this will work (I am not an
expert
> > on
> > all the versioning and pagemap stuff yet, but I think the form should
> > always
> > be submitted to the same instance regardless of back button, etc.) and
> > whether this should be part of the base form component.
> >
> > Below is the version of the form that I have created. The verification
of
> > the token happens in an overriden validate() method. I would have
> > preferred
> > to override onFormSubmitted, but it is marked as final (at least in
> > 1.2.5which is what I am using). In
> > 2.0 there appears to be "fake submit" handling, but it is not clear
how
> > this
> > should work. If this is already being handled, let me know...
> >
> > Thanks for your time.
> >
> >
> > public class SecureForm extends Form
> > {
> >
> > private final transient Logger logger = LoggerFactory.getLogger(
> > SecureForm.class);
> >
> > private String actionToken;
> >
> > public SecureForm(final String id) {
> > this(id, null);
> > }
> >
> > public SecureForm(final String id, IModel model)
> > {
> > super(id, model);
> >
> > //generate a unique action token stored with this form
> > actionToken = UUID.randomUUID().toString();
> > }
> >
> > @Override
> > protected void onComponentTagBody(final MarkupStream markupStream,
> > final
> > ComponentTag openTag)
> > {
> > // render the hidden field
> > AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> > style=\"display:none\"><input type=\"hidden\" name=\"");
> > buffer.append(getActionTokenHiddenFieldId())
> > .append("\" id=\"")
> > .append(getActionTokenHiddenFieldId())
> > .append("\" value=\"")
> > .append(actionToken)
> > .append("\" /></div>");
> > getResponse().write(buffer);
> >
> > // do the rest of the processing
> > super.onComponentTagBody(markupStream, openTag);
> > }
> >
> > @Override
> > protected void validate() {
> > //verify that the token was provided
> > String token =
> > getRequest().getParameter(getActionTokenHiddenFieldId());
> >
> > if (!actionToken.equals(token)) {
> > logger.warn("Attempted unauthorized form submission.");
> > throw new UnauthorizedActionException(this, new Action("
> > SECUREFORM.SUBMIT"));
> > }
> >
> > super.validate();
> > }
> >
> > private String getActionTokenHiddenFieldId() {
> > return "_actiontoken";
> > }
> > }
> >
>
