I wonder if this could be created as a Mixin? Also, the internal LinkFactory service has listeners that know when an action link is created; it might be possible to automatically add a query parameter to every link with authentication, and then provided filters in the ComponentEventRequestHandler pipeline to enforce the check.
On Mon, Jul 28, 2008 at 12:24 PM, Martijn Brinkers (List) <[EMAIL PROTECTED]> wrote: > Hi Christian, > > Do you have some example code of you Form extension? > > Thanks, > > Martijn > > On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: >> A good way would be to alter the Form object to contain (via a hidden >> variable) a field that's generated per the whitepaper linked from that >> wikipedia article. The form would then consume the post, and if that >> field is not in the expected state, generate an error state, which >> could then be redirected to a security page or some such. We solved >> it this way, though without changing the T5 form object - we used a >> custom form object. >> >> A friend of mine wrote the linked whitepaper, so if someone's trying >> to put the fix into the Tapestry framework infrastructure, then let me >> know and I'll connect you by e-mail. It's a good read anyway, as it's >> a bit of a subtle problem. >> >> Christian. >> >> On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote: >> >> > Cross-site request forgeries (CSRF) is a web application vulnerability >> > that is often neglected by web developers. If your application is >> > vulnerable to CSRF and an attacker can entice you to request some URL >> > (this can be done for example with an image with the src set to some >> > Tapestry action) the attacker can execute random Tapestry actions and >> > post forms (like adding a adminitrator etc.) without the users >> > consent. >> > For more info on CSRF see for example: >> > http://en.wikipedia.org/wiki/Cross-site_request_forgery. >> > One way to protect against CSRF is to add a non-guessable code >> > (saved in >> > the user session) to the URLs that need to be protected against CSRF >> > or >> > add a hidden field to a Form with this unique code. When Tapestry >> > recieved a request (for a page or action) and that page/action need >> > protection a check is done to see if the code from the URL matches the >> > code stored in the user session. If not you know that the request did >> > not generated by tapestry. >> > >> > My question is what is the best way to implement this? Should I add >> > the >> > code as a context parameter and for forms as a hidden field? And use a >> > dispatcher to check whether the page should have been protected? >> > >> > Thanks, >> > >> > Martijn Brinkers >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Howard M. Lewis Ship Creator Apache Tapestry and Apache HiveMind --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]