This is an automated email from the ASF dual-hosted git repository. adelbene pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/master by this push: new dcd5342 Improved CSRF documentation dcd5342 is described below commit dcd5342b934f768296b45317942da629b3233694 Author: Andrea Del Bene <adelb...@apache.org> AuthorDate: Mon Nov 2 21:51:48 2020 +0100 Improved CSRF documentation --- .../src/main/asciidoc/security/security_5.adoc | 34 ++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc index 25a64c2..9518d5e 100644 --- a/wicket-user-guide/src/main/asciidoc/security/security_5.adoc +++ b/wicket-user-guide/src/main/asciidoc/security/security_5.adoc @@ -2,9 +2,9 @@ _CryptoMapper_ helps preventing CSRF attacks by making the urls impossible to be guessed by an attacker but still there is some theoretical chance this to happen. -To further help against this kind of vulnerability Wicket provides _ResourceIsolationRequestCycleListener_ - a _IRequestCycleListener_ that uses __IResourceIsolationPolicy__ objects to decide whether to allow or reject cross-origin requests. By default only actions are checked, i.e. a cross-origin request cannot execute _Link.onClick()_ or submit forms (_Form.onSubmit()_). Any request to render pages are still allowed so Wicket pages could be easily embedded in other applications. +To further help against this kind of vulnerability Wicket provides _ResourceIsolationRequestCycleListener_ - a _IRequestCycleListener_ that uses __IResourceIsolationPolicy__ objects to decide whether to allow or reject cross-origin requests. +Just like any RequestCycle listener _ResourceIsolationRequestCycleListener_ must be registered on application initialization: -MyApplication.java [source,java] ---- @Override @@ -15,20 +15,44 @@ MyApplication.java } ---- -_ResourceIsolationRequestCycleListener_ is highly configurable. It allows to add exempted paths that will not be checked with the __addExemptedPath__ method. It can be configured with multiple _ResourceIsolationPolicy_ objects to be checked in order. +By default _ResourceIsolationRequestCycleListener_ checks only event handlers requests, i.e. a cross-origin requests cannot execute _Link.onClick()_ or submit forms (_Form.onSubmit()_). Any request to render pages are still allowed so Wicket pages could be easily embedded in other applications. To extend CSRF protection to pages we can simply override _isChecked(IRequestHandler handler)_ method to make it return always _true_: + +[source,java] +---- + @Override + protected void init() { + super.init(); + getRequestCycleListeners().add(new ResourceIsolationRequestCycleListener() { + @Override + protected boolean isChecked(IRequestHandler handler) { + //check everything + return true; + } + }); + // ... + } +---- + + +_ResourceIsolationRequestCycleListener_ is highly configurable. It allows to add exempted paths that will not be checked with the __addExemptedPath__ method. It can also be configured with multiple _ResourceIsolationPolicy_ objects to be checked in order. An __IResourceIsolationPolicy__ returns a __ResourceIsolationOutcome__ after processing a request, which can be one of 3 values (__ALLOWED__, __DISALLOWED__, __UNKNOWN__). The __ResourceIsolationRequestCycleListener__ checks the __IResourceIsolationPolicy__ objects in order and uses the first outcome that is not __UNKNOWN__ to trigger the appropriate action. If all return __UNKNOWN__ __unknownOutcomeAction__ is applied. The actions can be configured through the listener. The default constructor uses the __FetchMetadataResourceIsolationPolicy__, which checks Fetch Metadata headers, and the __OriginBasedResourceIsolationPolicy__ which uses the Origin and Referer headers to forbid requests made from a different origin, in order. The __OriginBasedResourceIsolationPolicy__ contains the refactored logic of the now deprecated __CsrfPreventionRequestCycleListener__. The listener can be configured to include custom __IResourceIsolationPolicy__ objects. -MyApplication.java +For example: [source,java] ---- @Override protected void init() { super.init(); - getRequestCycleListeners().add(new ResourseIsolationRequestCycleListener(new FetchMetadataResourceIsolationPolicy())); + getRequestCycleListeners().add( + new ResourseIsolationRequestCycleListener( + new FetchMetadataResourceIsolationPolicy(), + new OriginBasedResourceIsolationPolicy(), + new MyCustomResourceIsolationPolicy() + )); // ... } ----