[wicket] branch master updated: Improved CSRF documentation

Mon, 02 Nov 2020 12:54:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

adelbene pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/wicket.git


The following commit(s) were added to refs/heads/master by this push:
     new dcd5342  Improved CSRF documentation
dcd5342 is described below

commit dcd5342b934f768296b45317942da629b3233694
Author: Andrea Del Bene <adelb...@apache.org>
AuthorDate: Mon Nov 2 21:51:48 2020 +0100

    Improved CSRF documentation
---
 .../src/main/asciidoc/security/security_5.adoc     | 34 ++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc 
b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
index 25a64c2..9518d5e 100644
--- a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
+++ b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc
@@ -2,9 +2,9 @@
 
 _CryptoMapper_ helps preventing CSRF attacks by making the urls impossible to 
be guessed by an attacker but still there is some theoretical chance this to 
happen.
 
-To further help against this kind of vulnerability Wicket provides 
_ResourceIsolationRequestCycleListener_ - a _IRequestCycleListener_ that uses 
__IResourceIsolationPolicy__ objects to decide whether to allow or reject 
cross-origin requests. By default only actions are checked, i.e. a cross-origin 
request cannot execute _Link.onClick()_ or submit forms (_Form.onSubmit()_). 
Any request to render pages are still allowed so Wicket pages could be easily 
embedded in other applications.
+To further help against this kind of vulnerability Wicket provides 
_ResourceIsolationRequestCycleListener_ - a _IRequestCycleListener_ that uses 
__IResourceIsolationPolicy__ objects to decide whether to allow or reject 
cross-origin requests. 
+Just like any RequestCycle listener _ResourceIsolationRequestCycleListener_ 
must be registered on application initialization:
 
-MyApplication.java
 [source,java]
 ----
   @Override
@@ -15,20 +15,44 @@ MyApplication.java
  }
 ----
 
-_ResourceIsolationRequestCycleListener_ is highly configurable. It allows to 
add exempted paths that will not be checked with the __addExemptedPath__ 
method. It can be configured with multiple _ResourceIsolationPolicy_ objects to 
be checked in order.
+By default _ResourceIsolationRequestCycleListener_ checks only event handlers 
requests, i.e. a cross-origin requests cannot execute _Link.onClick()_ or 
submit forms (_Form.onSubmit()_). Any request to render pages are still allowed 
so Wicket pages could be easily embedded in other applications. To extend CSRF 
protection to pages we can simply override _isChecked(IRequestHandler handler)_ 
method to make it return always _true_:
+
+[source,java]
+----
+  @Override
+ protected void init() {
+  super.init();
+  getRequestCycleListeners().add(new ResourceIsolationRequestCycleListener() {
+           @Override
+           protected boolean isChecked(IRequestHandler handler) {
+               //check everything
+               return true;
+           }
+       });
+  // ...
+ }
+----
+
+
+_ResourceIsolationRequestCycleListener_ is highly configurable. It allows to 
add exempted paths that will not be checked with the __addExemptedPath__ 
method. It can also be configured with multiple _ResourceIsolationPolicy_ 
objects to be checked in order.
 
 An __IResourceIsolationPolicy__ returns a __ResourceIsolationOutcome__ after 
processing a request, which can be one of 3 values (__ALLOWED__, 
__DISALLOWED__, __UNKNOWN__). The __ResourceIsolationRequestCycleListener__ 
checks the __IResourceIsolationPolicy__ objects in order and uses the first 
outcome that is not __UNKNOWN__ to trigger the appropriate action. If all 
return __UNKNOWN__ __unknownOutcomeAction__ is applied. The actions can be 
configured through the listener.
 
 The default constructor uses the __FetchMetadataResourceIsolationPolicy__, 
which checks Fetch Metadata headers, and the 
__OriginBasedResourceIsolationPolicy__ which uses the Origin and Referer 
headers to forbid requests made from a different origin, in order. The 
__OriginBasedResourceIsolationPolicy__ contains the refactored logic of the now 
deprecated __CsrfPreventionRequestCycleListener__.
 The listener can be configured to include custom __IResourceIsolationPolicy__ 
objects.
 
-MyApplication.java
+For example:
 [source,java]
 ----
   @Override
  protected void init() {
   super.init();
-  getRequestCycleListeners().add(new ResourseIsolationRequestCycleListener(new 
FetchMetadataResourceIsolationPolicy()));
+  getRequestCycleListeners().add(
+       new ResourseIsolationRequestCycleListener(
+               new FetchMetadataResourceIsolationPolicy(),
+               new OriginBasedResourceIsolationPolicy(),
+               new MyCustomResourceIsolationPolicy()
+       ));
   // ...
  }
 ----

Reply via email to