wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grigorov <mgrigo...@apache.org>
Subject Re: CSRF protection and mounting pages
Date Wed, 18 Sep 2013 12:08:42 GMT
Check https://issues.apache.org/jira/browse/WICKET-5326
It talks about similar things


On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:

> Hi Martin,
>
> thanks for your answer. I tried that and I am not sure if I did something
> wrong, but still the URLs generated for posting forms are not encrypted.
>
> For example I have a page that contains a form to change the user's
> password and I want the page to be available as /changePassword. Now if the
> user submits the form, the form's action points to /changePassword?xyz,
> which makes it open to CSRF.
>
> Best Regards,
> Andreas
>
> Am 18.09.2013 13:09, schrieb Martin Grigorov:
>
>> Hi,
>>
>> You can extend CryptoMapper and setup it as root mapper.
>> In your custom CryptoMapper you can override "Url mapHandler(final
>> IRequestHandler requestHandler)". If the passed requestHandler is
>> IPageClassRequestHandler then you can call #getPageClass() on it and
>> decide
>> whether to encrypt the Url or not. For all other IRequestHandlers - always
>> encrypt.
>>
>>
>> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
>> andreas.kappler@jato-**consulting.de <andreas.kappler@jato-consulting.de>>
>> wrote:
>>
>>  Hi!
>>>
>>> I am currently looking into making our Wicket applications CSRF safe.
>>> From
>>> my understanding the CryptoMapper is the way to go, and I was able to set
>>> it up working successfully.
>>>
>>> There are however several mounted pages in the applications (with
>>> WebApplication.mountPage), where the URLs should not be encrypted. This
>>> also works fine, the CryptoMapper does not encrypt the URLs to these
>>> pages,
>>> but that also removes the CSRF protection. E.g. if one of these mounted
>>> pages contains a form, the URL to post back the form data is unencrypted
>>> and vulnerable to CSRF.
>>>
>>> My idea was to not mount pages directly, but instead mount a Page that
>>> redirects to the actual page. That way the page is still reachable with a
>>> static URL, but all consequent requests are properly encrypted.
>>>
>>> So instead of:
>>>
>>>    webApplication.mountPage("****login", LoginPage.class);
>>>
>>>
>>> Something like this:
>>>
>>>    public class LoginPageRedirect extends WebPage {
>>>        protected void onInitialize() {
>>>            throw new RestartResponseException(****LoginPage.class);
>>>        }
>>>    }
>>>    webApplication.mountPage("****login", LoginPageRedirect.class);
>>>
>>>
>>> I did however not find anything in the wicket API that supports this
>>> concept and now I am wondering if there is a better way to do this, e.g.
>>> with a server side redirect.
>>>
>>> I would be grateful for any ideas!
>>>
>>> Best Regards,
>>> Andreas
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apa**che.org<http://apache.org>
>>> <users-unsubscribe@**wicket.apache.org<users-unsubscribe@wicket.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<users-unsubscribe@wicket.apache.org>
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message