Hi, there is now an auto CSRF protection mode available. By including the CSRF protection module and providing the application defaults - configuration.add(CsrfProtectionModule.ANTI_CSRF_MODE, CsrfProtectionModule.ANTI_CSRF_MODE_AUTO); - every Form or AbstractComponentEventLink based component is protected, which works in my sample app for all used components.
How it works: -) My component class transformation adds the insertCSRFToken method to all components -) Furthermore the transformation adds to org.apache.tapestry5.corelib.components.Form, org.apache.tapestry5.corelib.base.AbstractComponentEventLink my CsrfProtected mixin -) The mixin calls the insertCSRFToken method in the afterRender phase -) A ComponentEventRequestFilter checks the token -) A @NotCsrfProtected annotation can be used for pages that should not be protected -) If for any reasons the auto protection does not work in a case, the explicit protection with the mixin and the @CsrfProtected annotation can be used Issues - Auto Mode: 1. Page render request: These requests are excluded from auto protection. It would be easy to include them, but these events should not trigger any functionality that could be exploited with CSRF. 2. The filter checks the page annotation with reflection on each call. I will build a Service that holds a constant page list that is built upon app start, to avoid using reflection all the time. Issues - Explicit Mode (Mixin + @CsrfProtected) 3. The @CsrfProtected on page level adds the token check logic as advice to the onActivate event of the page. If there is no onActivate event I add the advice to the dispatchComponentEvent method of the page with a check for the onActivate event. This is a little bit of a hack. My idea was to add the onActivate method if it is not present at the page and to let the other workers of Tapestry do the rest. But the worker classes that handle the onActivate logic don't use introduced methods of other workers. If they would use it it would be a nice way to add functionality based on the existing tapestry mechanisms. For now I think I will change the logic to use a ComponentEventRequestFilter. If the @CsrfProtected annotation is present on a page I'll check the token. Next steps: -) Test of the CSRF protection with the Jumpstart demo -) Unit tests -) Documentation page BR, Markus -- View this message in context: http://tapestry.1045711.n5.nabble.com/CSRF-protection-module-tp4487920p4527453.html Sent from the Tapestry - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
