Return-Path: <users-return-92687-archive-asf-public=cust-asf.ponee.io@wicket.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 887BA200C84
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 15 May 2017 07:54:34 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 8704F160BCC; Mon, 15 May 2017 05:54:34 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CFCA5160BB7
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 15 May 2017 07:54:33 +0200 (CEST)
Received: (qmail 54364 invoked by uid 500); 15 May 2017 05:54:32 -0000
Mailing-List: contact users-help@wicket.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@wicket.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@wicket.apache.org>
List-Post: <mailto:users@wicket.apache.org>
List-Id: <users.wicket.apache.org>
Reply-To: users@wicket.apache.org
Delivered-To: mailing list users@wicket.apache.org
Received: (qmail 54352 invoked by uid 99); 15 May 2017 05:54:32 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 May 2017 05:54:32 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 102401AF8D5
	for <users@wicket.apache.org>; Mon, 15 May 2017 05:54:32 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.629
X-Spam-Level: 
X-Spam-Status: No, score=0.629 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_ENVFROM_END_DIGIT=0.25, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id CV6YHVxdABb2 for <users@wicket.apache.org>;
	Mon, 15 May 2017 05:54:30 +0000 (UTC)
Received: from mail-pg0-f54.google.com (mail-pg0-f54.google.com [74.125.83.54])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 2A6C25FCB9
	for <users@wicket.apache.org>; Mon, 15 May 2017 05:54:30 +0000 (UTC)
Received: by mail-pg0-f54.google.com with SMTP id u28so54862173pgn.1
        for <users@wicket.apache.org>; Sun, 14 May 2017 22:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=SCEVPfMqYA7oydsSdCZV+2hFkh9Qbhel+e2EuZzCugQ=;
        b=YNlPF4zd8+WXpCKBrkGGXaybY//h44CjX4sRqIILD6IoEWwwwGIWTKWsbX7CEjp/Xw
         ZUqsvj6UC4iNo65c64wymIUJbE/5xKswXqMgN2fPIoBk0Rm6SQHMpBfBKgXWq2hH7o+f
         L9xdFKabIOy+Bi5Bm7aNnAQMMhfsurxvIBwRJO49x9Dy0KxHBFBm16gpYkbGu0OWIhKP
         k37RaJKK5HNtQuEccFjE4PkOZb63jdmmQGrp2LJc+xy3YnWNyMgPs1j+ch8cAjfcXpz+
         k3+7I0m7IJGjGGZqEveTgGMr+7MsvB+vjWnPtujnhF2TsKHUGpGGjDLZsVpt1MEFpcJ3
         AL4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=SCEVPfMqYA7oydsSdCZV+2hFkh9Qbhel+e2EuZzCugQ=;
        b=bDqhFGkswFfKiPYZwDD7PL0io9tIGfUo1IFiCcPVa+ITXDDYVIzS4IyKT4E4C+Bk2N
         MGGSPKKItUW0dSatqEndloJ7NW5jtDrOiv17ApOSfD+3YNVXbq3AkLszpldW+wHqrH7c
         F3nswCVXBEqJtH0F/Z7ufkyAlLoXedVGbRrpmFNBHDkKj8Qc+lCmbmEF66F4zf0xcV/Z
         rQaVsdN8IOsMqnoxEks0wXARcgBvkN6XqySjspUp/QBxTVd3LQ+ZrPhFq1FGz3PDvSBQ
         BdrLJQsRsn6as4XBS/GVKo7WJtqYPQUNo2SX5GF14kVI3zMUWE/OJ+t9mbmSkyiJDzRZ
         +wsg==
X-Gm-Message-State: AODbwcDivL6bORwm+frk3ubEApgfM+9DFTw6IsH/xjxhfphQuLWU39Ia
	aNmU98NeRTGTvnA9ibULjKMTXW33iSJI
X-Received: by 10.98.207.132 with SMTP id b126mr4384471pfg.167.1494827668891;
 Sun, 14 May 2017 22:54:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.161.167 with HTTP; Sun, 14 May 2017 22:54:28 -0700 (PDT)
In-Reply-To: <CAJmbs8gs+YkTSP8iuxTq+x5TsS5r=kUip0v0gd8wvzySyGT2AA@mail.gmail.com>
References: <CAJmbs8j1DzvcMN0QOi2Y0v8C2aG65ujRJY4R4vP6VoHVAKRb1w@mail.gmail.com>
 <CAJmbs8idvr-cbK=ferBQ7hMe0=JxfbXEZSJ-i7ANd0OiUYN27w@mail.gmail.com>
 <CAMomwMr6R_c7xsz-AceSeeoB9Kx=5gHgEVNaywNpDoWLG8td6A@mail.gmail.com> <CAJmbs8gs+YkTSP8iuxTq+x5TsS5r=kUip0v0gd8wvzySyGT2AA@mail.gmail.com>
From: Maxim Solodovnik <solomax666@gmail.com>
Date: Mon, 15 May 2017 12:54:28 +0700
Message-ID: <CAJmbs8jUGy2K8s3k4oo6+PEJShD7_Dh7s48xXDtjgrJBnRc1-Q@mail.gmail.com>
Subject: Re: WebSockets and CsrfPreventionRequestCycleListener
To: users@wicket.apache.org
Content-Type: text/plain; charset="UTF-8"
archived-at: Mon, 15 May 2017 05:54:34 -0000

Hello Martin,

were you able to take a look at it?
I was hoping to have M6 with working Csrf+WebSockets ....

On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <solomax666@gmail.com> wrote:
> Thanks a million, Martin :)
>
> On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mgrigorov@apache.org> wrote:
>> Hi Maxim,
>>
>> I don't use this combination.
>> But I will try to test it soon and see what can be done.
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <solomax666@gmail.com>
>> wrote:
>>
>>> Does anybody uses this filter?
>>>
>>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <solomax666@gmail.com>
>>> wrote:
>>> > Hello All,
>>> >
>>> > just have tried to add CsrfPreventionRequestCycleListener to our
>>> application
>>> > everything seems to work except for Websockets :(
>>> >
>>> > Now I'm getting
>>> >
>>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
>>> > Possible CSRF attack, request URL:
>>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>>> > Origin: null, action: aborted with error 400 Origin does not
>>> > correspond to request
>>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
>>> > response in WebSocket communication would not be processed by the
>>> > browser! If you need to send the error code and message to the client
>>> > then configure custom WebSocketResponse via
>>> > WebSocketSettings#newWebSocketResponse() factory method and override
>>> > #sendError() method to write them in an appropriate format for your
>>> > application. The ignored error code is '400' and the message: 'Origin
>>> > does not correspond to request'.
>>> >
>>> > in the logs ...
>>> > What should I do to set Origin for Websockets?
>>> >
>>> > --
>>> > WBR
>>> > Maxim aka solomax
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>
>
>
> --
> WBR
> Maxim aka solomax



-- 
WBR
Maxim aka solomax

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org