Re: Wicket CSRF/XSRF protection
Il 30/12/2015 15:25, Martin Grigorov ha scritto: Hi, You can use CookieUtils to write the cookie. Later in each request you could use WebRequest.getHeader(String) or @HeaderParam if this is supported. Hi and happy new year, Thank for the answer. So, in my case, the best way is to manage the cookie "manually"? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Dec 30, 2015 at 9:31 AM, andrea wrote: Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket CSRF/XSRF protection
Hi, I think you might need to roll out your own RequestCycleListener to check for the XSRF-TOKEN. Or alternatively if you are using wicketstuff REST support you could use hook method onBeforeMethodInvoked to check the token before REST API is invoked. See https://github.com/wicketstuff/core/tree/master/wicketstuff-restannotations-parent and javadoc http://wicketstuff.org/core/javadoc7/apidocs/org/wicketstuff/rest/resource/AbstractRestResource.html Andrea. Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket CSRF/XSRF protection
Hi, You can use CookieUtils to write the cookie. Later in each request you could use WebRequest.getHeader(String) or @HeaderParam if this is supported. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Dec 30, 2015 at 9:31 AM, andrea wrote: > Hi all, > > Starting from [this][1] question on stackoverflow, I'm going to ask one > thing more. > > I've developed a web application in which Apache Wicket plays as "REST > backend", it only exposes HTTP Resources, there is an application and there > are no pages, and no html related. > All "frontend" is developed in AngularJS. > > Now, I need protection against CSRF attacks. AngularJS documentation says: > > To take advantage of this [angular XSRF protection], your server needs to > set a token in a > > JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET > > request. On subsequent non-GET requests the server can verify that the > > cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that > > only JavaScript running on your domain could have read the token. > > > How can I get this token managed by Apache Wicket? > > Are there wicket implementations of such mechanism? > > I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect > all requests, it seems to be configured (by default) only to protect ajax > requests on components or links; or /*CryptoMapper*/ with > /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm > looking for. > I "just" want to send a token, not to crypt urls, but if guarantees the > same protection I'll do. > > I've not found so much on documentation, can you help me? > > > [1]: > http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer > > Best regards, > Andrea >
Wicket CSRF/XSRF protection
Hi all, Starting from [this][1] question on stackoverflow, I'm going to ask one thing more. I've developed a web application in which Apache Wicket plays as "REST backend", it only exposes HTTP Resources, there is an application and there are no pages, and no html related. All "frontend" is developed in AngularJS. Now, I need protection against CSRF attacks. AngularJS documentation says: To take advantage of this [angular XSRF protection], your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have read the token. How can I get this token managed by Apache Wicket? Are there wicket implementations of such mechanism? I found /*CsrfPreventionRequestCycleListener*/ but this doesn't protect all requests, it seems to be configured (by default) only to protect ajax requests on components or links; or /*CryptoMapper*/ with /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what I'm looking for. I "just" want to send a token, not to crypt urls, but if guarantees the same protection I'll do. I've not found so much on documentation, can you help me? [1]: http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer Best regards, Andrea
