Re: Wicket 8 CsrfPrevention issue
I add custom original url, and it works!
getRequestCycleListeners().add(new
CsrfPreventionRequestCycleListener().addAcceptedOrigin("mydomain"));
On Mon, Dec 24, 2018 at 9:26 AM Shengche Hsiao
wrote:
> Thanks Papegaaji, let me try.
>
> On Sun, Dec 23, 2018 at 8:32 PM Emond Papegaaij
> wrote:
>
>> I checked the answers and comments on that post, and they are
>> incorrect. When you
>> place your application behind a reverse http proxy, you need to make sure
>> the
>> proxy passes the correct headers to your application and you application
>> needs
>> to use these headers.
>>
>> For WildFly, you need to add proxy-address-forwarding="true" to the http-
>> listener. This will instruct Undertow to read the headers passed by the
>> proxy.
>>
>> On your proxy you will want to set these headers (this is nginx config):
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
>> proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
>>
>> Best regards,
>> Emond Papegaaij
>>
>> On Sat, Dec 22, 2018 at 7:31 PM Chris Turchin wrote:
>> >
>> > This might help:
>> >
>> https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener
>> >
>> > On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao
>> wrote:
>> > >
>> > > Dear all
>> > >
>> > > I use apache httpd as wildlfy's backend proxy server to redirect http
>> > > request to https request, when i add
>> CsrfPreventionRequestCycleListener to
>> > > my application , it showd error message:
>> > >
>> > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
>> > > (default task-48) Possible CSRF attack, request URL: http://
>> > > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw
>> ,
>> > > action: aborted with error 400 Origin does not correspond to request
>> > >
>> > > How can i conquer this?
>> > >
>> > > --->
>> > > To boldly go where no man has gone before.
>> > >
>> > > --->
>> > > We do this not because it is easy. We do this because it is hard.
>> > > -
>> > > -->
>> > > If I have seen further it is by standing on the shoulders of giants.
>> > > --
>> > > ->
>> > > front...@gmail.com
>> > >
>> ->
>> >
>> >
>> >
>> > --
>> > Chris Turchin
>> >
>> > -
>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> > For additional commands, e-mail: users-h...@wicket.apache.org
>> >
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>>
>
> --
>
> --->
> We do this not because it is easy. We do this because it is hard.
> --->
> ShengChe Hsiao
> --->
> front...@gmail.com
> front...@tc.edu.tw
> --->
> VoIP : 070-910-2450
> --->
>
--
--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->
Re: Wicket 8 CsrfPrevention issue
Thanks Papegaaji, let me try. On Sun, Dec 23, 2018 at 8:32 PM Emond Papegaaij wrote: > I checked the answers and comments on that post, and they are > incorrect. When you > place your application behind a reverse http proxy, you need to make sure > the > proxy passes the correct headers to your application and you application > needs > to use these headers. > > For WildFly, you need to add proxy-address-forwarding="true" to the http- > listener. This will instruct Undertow to read the headers passed by the > proxy. > > On your proxy you will want to set these headers (this is nginx config): > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; > proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; > > Best regards, > Emond Papegaaij > > On Sat, Dec 22, 2018 at 7:31 PM Chris Turchin wrote: > > > > This might help: > > > https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener > > > > On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao > wrote: > > > > > > Dear all > > > > > > I use apache httpd as wildlfy's backend proxy server to redirect http > > > request to https request, when i add > CsrfPreventionRequestCycleListener to > > > my application , it showd error message: > > > > > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener] > > > (default task-48) Possible CSRF attack, request URL: http:// > > > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw, > > > action: aborted with error 400 Origin does not correspond to request > > > > > > How can i conquer this? > > > > > > ---> > > > To boldly go where no man has gone before. > > > > > > ---> > > > We do this not because it is easy. We do this because it is hard. > > > - > > > --> > > > If I have seen further it is by standing on the shoulders of giants. > > > -- > > > -> > > > front...@gmail.com > > > > -> > > > > > > > > -- > > Chris Turchin > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- ---> We do this not because it is easy. We do this because it is hard. ---> ShengChe Hsiao ---> front...@gmail.com front...@tc.edu.tw ---> VoIP : 070-910-2450 --->
Re: Wicket 8 CsrfPrevention issue
I checked the answers and comments on that post, and they are wrong. When you place your application behind a reverse http proxy, you need to make sure the proxy passes the correct headers to your application and you application needs to use these headers. For WildFly, you need to add proxy-address-forwarding="true" to the http- listener. This will instruct Undertow to read the headers passed by the proxy. On your proxy you will want to set these headers (this is nginx config): proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; Best regards, Emond Papegaaij On zaterdag 22 december 2018 12:46:11 CET Chris Turchin wrote: > This might help: > https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket > -csrfpreventionrequestcyclelistener > On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao wrote: > > Dear all > > > > I use apache httpd as wildlfy's backend proxy server to redirect http > > request to https request, when i add CsrfPreventionRequestCycleListener to > > my application , it showd error message: > > > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener] > > (default task-48) Possible CSRF attack, request URL: http:// > > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw, > > action: aborted with error 400 Origin does not correspond to request > > > > How can i conquer this? > > > > ---> > > To boldly go where no man has gone before. > > > > ---> > > We do this not because it is easy. We do this because it is hard. > > - > > --> > > If I have seen further it is by standing on the shoulders of giants. > > -- > > -> > > front...@gmail.com > > -- > > ---> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket 8 CsrfPrevention issue
I checked the answers and comments on that post, and they are incorrect. When you place your application behind a reverse http proxy, you need to make sure the proxy passes the correct headers to your application and you application needs to use these headers. For WildFly, you need to add proxy-address-forwarding="true" to the http- listener. This will instruct Undertow to read the headers passed by the proxy. On your proxy you will want to set these headers (this is nginx config): proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; Best regards, Emond Papegaaij On Sat, Dec 22, 2018 at 7:31 PM Chris Turchin wrote: > > This might help: > https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener > > On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao wrote: > > > > Dear all > > > > I use apache httpd as wildlfy's backend proxy server to redirect http > > request to https request, when i add CsrfPreventionRequestCycleListener to > > my application , it showd error message: > > > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener] > > (default task-48) Possible CSRF attack, request URL: http:// > > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw, > > action: aborted with error 400 Origin does not correspond to request > > > > How can i conquer this? > > > > ---> > > To boldly go where no man has gone before. > > > > ---> > > We do this not because it is easy. We do this because it is hard. > > - > > --> > > If I have seen further it is by standing on the shoulders of giants. > > -- > > -> > > front...@gmail.com > > -> > > > > -- > Chris Turchin > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket 8 CsrfPrevention issue
This might help: https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao wrote: > > Dear all > > I use apache httpd as wildlfy's backend proxy server to redirect http > request to https request, when i add CsrfPreventionRequestCycleListener to > my application , it showd error message: > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener] > (default task-48) Possible CSRF attack, request URL: http:// > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw, > action: aborted with error 400 Origin does not correspond to request > > How can i conquer this? > > ---> > To boldly go where no man has gone before. > > ---> > We do this not because it is easy. We do this because it is hard. > - > --> > If I have seen further it is by standing on the shoulders of giants. > -- > -> > front...@gmail.com > -> -- Chris Turchin - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket 8 CsrfPrevention issue
Dear all I use apache httpd as wildlfy's backend proxy server to redirect http request to https request, when i add CsrfPreventionRequestCycleListener to my application , it showd error message: [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener] (default task-48) Possible CSRF attack, request URL: http:// etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw, action: aborted with error 400 Origin does not correspond to request How can i conquer this? ---> To boldly go where no man has gone before. ---> We do this not because it is easy. We do this because it is hard. - --> If I have seen further it is by standing on the shoulders of giants. -- -> front...@gmail.com ->
