wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Kappler <andreas.kapp...@jato-consulting.de>
Subject Re: CSRF protection and mounting pages
Date Wed, 18 Sep 2013 12:03:13 GMT
Hi Martin,

thanks for your answer. I tried that and I am not sure if I did 
something wrong, but still the URLs generated for posting forms are not 

For example I have a page that contains a form to change the user's 
password and I want the page to be available as /changePassword. Now if 
the user submits the form, the form's action points to 
/changePassword?xyz, which makes it open to CSRF.

Best Regards,

Am 18.09.2013 13:09, schrieb Martin Grigorov:
> Hi,
> You can extend CryptoMapper and setup it as root mapper.
> In your custom CryptoMapper you can override "Url mapHandler(final
> IRequestHandler requestHandler)". If the passed requestHandler is
> IPageClassRequestHandler then you can call #getPageClass() on it and decide
> whether to encrypt the Url or not. For all other IRequestHandlers - always
> encrypt.
> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
> andreas.kappler@jato-consulting.de> wrote:
>> Hi!
>> I am currently looking into making our Wicket applications CSRF safe. From
>> my understanding the CryptoMapper is the way to go, and I was able to set
>> it up working successfully.
>> There are however several mounted pages in the applications (with
>> WebApplication.mountPage), where the URLs should not be encrypted. This
>> also works fine, the CryptoMapper does not encrypt the URLs to these pages,
>> but that also removes the CSRF protection. E.g. if one of these mounted
>> pages contains a form, the URL to post back the form data is unencrypted
>> and vulnerable to CSRF.
>> My idea was to not mount pages directly, but instead mount a Page that
>> redirects to the actual page. That way the page is still reachable with a
>> static URL, but all consequent requests are properly encrypted.
>> So instead of:
>>    webApplication.mountPage("**login", LoginPage.class);
>> Something like this:
>>    public class LoginPageRedirect extends WebPage {
>>        protected void onInitialize() {
>>            throw new RestartResponseException(**LoginPage.class);
>>        }
>>    }
>>    webApplication.mountPage("**login", LoginPageRedirect.class);
>> I did however not find anything in the wicket API that supports this
>> concept and now I am wondering if there is a better way to do this, e.g.
>> with a server side redirect.
>> I would be grateful for any ideas!
>> Best Regards,
>> Andreas
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<users-unsubscribe@wicket.apache.org>
>> For additional commands, e-mail: users-help@wicket.apache.org

To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

View raw message