Return-Path: X-Original-To: apmail-wicket-users-archive@minotaur.apache.org Delivered-To: apmail-wicket-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CDFD518AC9 for ; Sat, 30 Jan 2016 08:25:49 +0000 (UTC) Received: (qmail 4571 invoked by uid 500); 30 Jan 2016 08:25:49 -0000 Delivered-To: apmail-wicket-users-archive@wicket.apache.org Received: (qmail 4511 invoked by uid 500); 30 Jan 2016 08:25:49 -0000 Mailing-List: contact users-help@wicket.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@wicket.apache.org Delivered-To: mailing list users@wicket.apache.org Received: (qmail 4500 invoked by uid 99); 30 Jan 2016 08:25:48 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 30 Jan 2016 08:25:48 +0000 Received: from mail-wm0-f51.google.com (mail-wm0-f51.google.com [74.125.82.51]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 6390B1A047E for ; Sat, 30 Jan 2016 08:25:48 +0000 (UTC) Received: by mail-wm0-f51.google.com with SMTP id 128so9993317wmz.1 for ; Sat, 30 Jan 2016 00:25:48 -0800 (PST) X-Gm-Message-State: AG10YORvwaVoMIWqIX/8EEtH1Gba7kOrIlrmX5dhSeUNDkKMCrYlli4cx9u6NJXTkiYaCO/+zHlOGL/yuqm4og== X-Received: by 10.28.176.133 with SMTP id z127mr1726845wme.22.1454142346802; Sat, 30 Jan 2016 00:25:46 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.112.40 with HTTP; Sat, 30 Jan 2016 00:25:07 -0800 (PST) In-Reply-To: <1454140381406-4673478.post@n4.nabble.com> References: <1454079034510-4673474.post@n4.nabble.com> <1454140381406-4673478.post@n4.nabble.com> From: Martin Grigorov Date: Sat, 30 Jan 2016 09:25:07 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CSRF Protection and Ajax : Error 403 - Token missing To: "users@wicket.apache.org" Content-Type: multipart/alternative; boundary=001a1141202e08c57b052a88e6ca --001a1141202e08c57b052a88e6ca Content-Type: text/plain; charset=UTF-8 I see. With Wicket 6+ this would be very simple but I don't have a simple solution for 1.4.x. The simplest way I see is to monkey-patch the "doGet" method - https://github.com/apache/wicket/blob/4c437fef16e9c8705cd79246eae67993077490f4/wicket/src/main/java/org/apache/wicket/ajax/wicket-ajax.js#L891-L914 I guess you will need to add t.setRequestHeader("csrf", Wicket.get('hiddenField').value); Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Sat, Jan 30, 2016 at 8:53 AM, alybubu wrote: > The login page is just here to connect the user to the wicket application. > The connection and the navigation beetween all wicket pages works fine > (Csrf > token is passed correctly). > The only problem is that every ajax call with wicket are in failure because > Csrf token is missing in request . > > > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/CSRF-Protection-and-Ajax-Error-403-Token-missing-tp4673474p4673478.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org > For additional commands, e-mail: users-help@wicket.apache.org > > --001a1141202e08c57b052a88e6ca--