And if it is really a great concern, people can implement their own
strategy that e.g. works on UUIDs or such. That'd be impossible to
guess.
Eelco
On 5/8/07, Johan Compagner <[EMAIL PROTECTED]> wrote:
WebUrlCompressing is random but only it is "stable" if you walk to that page
with that form
exactly the same way in all your new sessions.
But because it is session relative that user first have to go to that page
(because it has to exists)
then to another site that then guess the exact same thing with the
compressing url?
That sounds very unlikely if possible.
johan
On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
>
> I am using WebURLCompressingCodingStrategy so the URLs are more compact,
> but
> it still seems like someone could potentially fake a request because there
> is only part of the URL that is session specific and not entirely random.
>
> I will take a look at the CryptedUrlWebRequestCodingStrategy to see if
> that
> takes care of it.
>
> Thanks guys!!
>
> >
>
> On 5/7/07, Eelco Hillenius <[EMAIL PROTECTED]> wrote:
> >
> > I might be overlooking something, but I doubt whether you need it, as
> > submissions to pages already are safe. It's very unlikely other's can
> > guess session relative URLs (like <form
> >
> >
>
action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
> > But if you want more security you can implement your own request
> > coding strategy, or e.g. use something like
> > CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
> > me than implementing special purpose functionality in forms.
> >
> > Eelco
> >
> >
> > On 5/7/07, Bruno Borges <[EMAIL PROTECTED]> wrote:
> > > Isn't this already implemented in Wicket's Core?
> > >
> > > --
> > > Bruno Borges
> > > Summa Technologies Inc.
> > > www.summa-tech.com
> > > (48) 8404-1300
> > > (11) 3055-2060
> > >
> > > On 5/7/07, Mark Sandori <[EMAIL PROTECTED]> wrote:
> > > >
> > > > I am looking at making a version of the Form component that supports
> > the
> > > > "action token" pattern for securing forms against cross-site request
> > > > forgery
> > > > (XSRF) and cross-site script includes (XSSI). The basic idea is to
> > have
> > > > the
> > > > form generate a unique id that must be submitted along with the
> form.
> > This
> > > > verifies that the form was not forged and generated outside of the
> > > > application.
> > > >
> > > > I would love your input as to whether this will work (I am not an
> > expert
> > > > on
> > > > all the versioning and pagemap stuff yet, but I think the form
> should
> > > > always
> > > > be submitted to the same instance regardless of back button, etc.)
> and
> > > > whether this should be part of the base form component.
> > > >
> > > > Below is the version of the form that I have created. The
> verification
> > of
> > > > the token happens in an overriden validate() method. I would have
> > > > preferred
> > > > to override onFormSubmitted, but it is marked as final (at least in
> > > > 1.2.5which is what I am using). In
> > > > 2.0 there appears to be "fake submit" handling, but it is not clear
> > how
> > > > this
> > > > should work. If this is already being handled, let me know...
> > > >
> > > > Thanks for your time.
> > > >
> > > >
> > > > public class SecureForm extends Form
> > > > {
> > > >
> > > > private final transient Logger logger = LoggerFactory.getLogger(
> > > > SecureForm.class);
> > > >
> > > > private String actionToken;
> > > >
> > > > public SecureForm(final String id) {
> > > > this(id, null);
> > > > }
> > > >
> > > > public SecureForm(final String id, IModel model)
> > > > {
> > > > super(id, model);
> > > >
> > > > //generate a unique action token stored with this form
> > > > actionToken = UUID.randomUUID().toString();
> > > > }
> > > >
> > > > @Override
> > > > protected void onComponentTagBody(final MarkupStream
> markupStream,
> > > > final
> > > > ComponentTag openTag)
> > > > {
> > > > // render the hidden field
> > > > AppendingStringBuffer buffer = new
> AppendingStringBuffer("<div
> > > > style=\"display:none\"><input type=\"hidden\" name=\"");
> > > > buffer.append(getActionTokenHiddenFieldId())
> > > > .append("\" id=\"")
> > > > .append(getActionTokenHiddenFieldId())
> > > > .append("\" value=\"")
> > > > .append(actionToken)
> > > > .append("\" /></div>");
> > > > getResponse().write(buffer);
> > > >
> > > > // do the rest of the processing
> > > > super.onComponentTagBody(markupStream, openTag);
> > > > }
> > > >
> > > > @Override
> > > > protected void validate() {
> > > > //verify that the token was provided
> > > > String token =
> > > > getRequest().getParameter(getActionTokenHiddenFieldId());
> > > >
> > > > if (!actionToken.equals(token)) {
> > > > logger.warn("Attempted unauthorized form submission.");
> > > > throw new UnauthorizedActionException(this, new Action("
> > > > SECUREFORM.SUBMIT"));
> > > > }
> > > >
> > > > super.validate();
> > > > }
> > > >
> > > > private String getActionTokenHiddenFieldId() {
> > > > return "_actiontoken";
> > > > }
> > > > }
> > > >
> > >
> >
>
