WebUrlCompressing is random but only it is "stable" if you walk to that page
with that form
exactly the same way in all your new sessions.
But because it is session relative that user first have to go to that page
(because it has to exists)
then to another site that then guess the exact same thing with the
compressing url?
That sounds very unlikely if possible.
johan
On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
I am using WebURLCompressingCodingStrategy so the URLs are more compact,
but
it still seems like someone could potentially fake a request because there
is only part of the URL that is session specific and not entirely random.
I will take a look at the CryptedUrlWebRequestCodingStrategy to see if
that
takes care of it.
Thanks guys!!
>
On 5/7/07, Eelco Hillenius <[EMAIL PROTECTED]> wrote:
>
> I might be overlooking something, but I doubt whether you need it, as
> submissions to pages already are safe. It's very unlikely other's can
> guess session relative URLs (like <form
>
>
action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
> But if you want more security you can implement your own request
> coding strategy, or e.g. use something like
> CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
> me than implementing special purpose functionality in forms.
>
> Eelco
>
>
> On 5/7/07, Bruno Borges <[EMAIL PROTECTED]> wrote:
> > Isn't this already implemented in Wicket's Core?
> >
> > --
> > Bruno Borges
> > Summa Technologies Inc.
> > www.summa-tech.com
> > (48) 8404-1300
> > (11) 3055-2060
> >
> > On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
> > >
> > > I am looking at making a version of the Form component that supports
> the
> > > "action token" pattern for securing forms against cross-site request
> > > forgery
> > > (XSRF) and cross-site script includes (XSSI). The basic idea is to
> have
> > > the
> > > form generate a unique id that must be submitted along with the
form.
> This
> > > verifies that the form was not forged and generated outside of the
> > > application.
> > >
> > > I would love your input as to whether this will work (I am not an
> expert
> > > on
> > > all the versioning and pagemap stuff yet, but I think the form
should
> > > always
> > > be submitted to the same instance regardless of back button, etc.)
and
> > > whether this should be part of the base form component.
> > >
> > > Below is the version of the form that I have created. The
verification
> of
> > > the token happens in an overriden validate() method. I would have
> > > preferred
> > > to override onFormSubmitted, but it is marked as final (at least in
> > > 1.2.5which is what I am using). In
> > > 2.0 there appears to be "fake submit" handling, but it is not clear
> how
> > > this
> > > should work. If this is already being handled, let me know...
> > >
> > > Thanks for your time.
> > >
> > >
> > > public class SecureForm extends Form
> > > {
> > >
> > > private final transient Logger logger = LoggerFactory.getLogger(
> > > SecureForm.class);
> > >
> > > private String actionToken;
> > >
> > > public SecureForm(final String id) {
> > > this(id, null);
> > > }
> > >
> > > public SecureForm(final String id, IModel model)
> > > {
> > > super(id, model);
> > >
> > > //generate a unique action token stored with this form
> > > actionToken = UUID.randomUUID().toString();
> > > }
> > >
> > > @Override
> > > protected void onComponentTagBody(final MarkupStream
markupStream,
> > > final
> > > ComponentTag openTag)
> > > {
> > > // render the hidden field
> > > AppendingStringBuffer buffer = new
AppendingStringBuffer("<div
> > > style=\"display:none\"><input type=\"hidden\" name=\"");
> > > buffer.append(getActionTokenHiddenFieldId())
> > > .append("\" id=\"")
> > > .append(getActionTokenHiddenFieldId())
> > > .append("\" value=\"")
> > > .append(actionToken)
> > > .append("\" /></div>");
> > > getResponse().write(buffer);
> > >
> > > // do the rest of the processing
> > > super.onComponentTagBody(markupStream, openTag);
> > > }
> > >
> > > @Override
> > > protected void validate() {
> > > //verify that the token was provided
> > > String token =
> > > getRequest().getParameter(getActionTokenHiddenFieldId());
> > >
> > > if (!actionToken.equals(token)) {
> > > logger.warn("Attempted unauthorized form submission.");
> > > throw new UnauthorizedActionException(this, new Action("
> > > SECUREFORM.SUBMIT"));
> > > }
> > >
> > > super.validate();
> > > }
> > >
> > > private String getActionTokenHiddenFieldId() {
> > > return "_actiontoken";
> > > }
> > > }
> > >
> >
>
