There is now a showcase for the cross-site request forgery protection based on the Jumpstart demo project available at:
http://viennamarkus.dyndns-free.com:8888/jumpstart It uses the auto protection mode, which requires only a config entry in the AppModule of Jumpstart. So far all different component types and interaction can be protected. A few pages are not working properly but this is due to my custom port of the chenillekit and of Jumpstart to Tapestry 5.3.0, but the CSRF protection still works also there. I switched for the auto mode of the protection to a decorator for the ComponentEventLinkEncoder, because the AjaxFormLoop made some troubles in the other approach. So the auto mode works now fine also for the AjaxFormLoop component. The problem there is that I'm currently not able to provide a mixin for that component - the critical code part is: AjaxFormLoop: public void addRemoveRowTrigger(String clientId) { Link link = resources.createEventLink("triggerRemoveRow", toClientValue()); String asURI = link.toURI(); JSONObject spec = new JSONObject(); spec.put("link", clientId); spec.put("fragment", currentFragmentId()); spec.put("url", asURI); jsSupport.addInitializerCall("formLoopRemoveLink", spec); } Through the ComponentEventLinkEncoder approach I can add the CSRF protection token already in the createEventLink method. But I don't know how I can provide a insertCSRFtoken method for that component that can be called in the afterRender phase, since the link goes into javascript and is not represented in the markup. Maybe I can try to identify component instances that have the mixin attached und build a list of client ids at startup and then in the the ComponentEventLinkEncoder I evaluate this list to decide whether to add the protection token or not I would appreciate any help for the Mixin based protection of the AjaxFormLoop component and comments about the current solution. BR Markus -- View this message in context: http://tapestry.1045711.n5.nabble.com/CSRF-protection-module-tp4487920p4553028.html Sent from the Tapestry - Dev mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
