i might have solved the problem the default ICryptFactory is /** * Default crypt factory. This factory will instantiate a {@link SunJceCrypt} once and cache it for * all further invocations of {@link #newCrypt()}. * * @author Igor Vaynberg (ivaynberg) */ public class CachingSunJceCryptFactory extends CryptFactoryCachingDecorator
and what I want is, i.e. unique URL for each session, is /** * Crypt factory that produces {@link SunJceCrypt} instances based on http session-specific * encryption key. This allows each user to have their own encryption key, hardening against CSRF * attacks. * * Note that the use of this crypt factory will result in an immediate creation of a http session * * @author igor.vaynberg */ public class KeyInSessionSunJceCryptFactory implements ICryptFactory Now I just need to figure out how to configure it. 2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com> > Start will not work, since security is enabled. I'm attaching a new zip > file, with security disabled. And added getSession().bind() and I can > verify that the Session Id are different in the two different browsers. > > ----------------------- > web.xml > ----------------------- > <?xml version="1.0" encoding="UTF-8"?> > <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" > http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> > > <display-name>example-wicket</display-name> > > <filter> > <filter-name>wicket.example-wicket</filter-name> > > <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class> > <init-param> > <param-name>applicationClassName</param-name> > <param-value>se.msc.examples.WicketApplication</param-value> > </init-param> > <init-param> > <param-name>configuration</param-name> > <!-- <param-value>development</param-value> --> > <param-value>deployment</param-value> > </init-param> > <init-param> > <param-name>ignorePaths</param-name> > <param-value>/*.jsp</param-value> > </init-param> > </filter> > > <filter-mapping> > <filter-name>wicket.example-wicket</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <session-config> > <!-- Session timeout after X MINUTES after no user interaction. --> > <session-timeout>15</session-timeout> > <cookie-config> > <!-- XSS attack: make sure that cookie cannot be accessed via > client side scripts --> > <http-only>true</http-only> > <!-- CSRF attack, session hijack attack: require cookie can > only be used for SSL communication. > <secure>true</secure>--> > </cookie-config> > <!-- Do not use URL, since then it can be stored in numerous > places: browser history, proxy server log, referrer logs, web logs, etc. --> > <tracking-mode>COOKIE</tracking-mode> > </session-config> > > </web-app> > > ----------------------- > jboss-web.xml > ----------------------- > <?xml version="1.0" encoding="UTF-8"?> > <jboss-web> > <context-root>example-wicket</context-root> > </jboss-web> > > I still get the same result > > > > 2013/5/28 Martin Grigorov <mgrigo...@apache.org> > >> Hi, >> >> Your app fails to start due to: >> WARN - AbstractLifeCycle - FAILED >> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d: >> java.lang.IllegalStateException: No LoginService for >> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in >> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d >> java.lang.IllegalStateException: No LoginService for >> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in >> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d >> at >> >> org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:44) >> at >> >> org.eclipse.jetty.security.authentication.FormAuthenticator.setConfiguration(FormAuthenticator.java:103) >> ... >> >> I see it is prepared for JBoss. >> I tried to run it with Jetty's Start.java. >> >> Add getSession().bind() before checking the ids. >> >> >> >> >> On Tue, May 28, 2013 at 11:51 AM, Magnus K Karlsson < >> magnus.r.karls...@gmail.com> wrote: >> >> > That is what I'm trying to do. I have created a simple Apach Wicket >> 6.8.0 >> > project. I have attached it. I'm not sure if it will be posted to list. >> > >> > public class WicketApplication extends WebApplication { >> > ... >> > public void init() { >> > super.init(); >> > IRequestMapper cryptoMapper; >> > cryptoMapper = new CryptoMapper(getRootRequestMapper(), this); >> > setRootRequestMapper(cryptoMapper); >> > } >> > >> > public final HttpServletRequest getHttpServletRequest() { >> > return (HttpServletRequest) getRequest().getContainerRequest(); >> > } >> > >> > protected final Request getRequest() { >> > RequestCycle requestCycle = RequestCycle.get(); >> > if (requestCycle == null) { >> > throw new WicketRuntimeException( >> > "No RequestCycle is currently set!"); >> > } >> > return requestCycle.getRequest(); >> > } >> > } >> > >> > I have two simple web pages that prints Session Id >> > >> > public class ListPersons extends WebPage { >> > >> > private static final long serialVersionUID = 1L; >> > >> > public ListPersons(final PageParameters parameters) { >> > super(parameters); >> > >> > add(new Label("label1", getSession().getId())); >> > >> > add(new Label("label2", >> > WicketApplication.get().getHttpServletRequest() >> > .getSession().getId())); >> > } >> > >> > I have enabled security, but I'm not sure If that is neccessary, I only >> > want to make sure that I a HTTP Session is created and that they are >> > different for the two browser. >> > >> > I have two browser Firefox and Chrome. >> > 1. I login in the first browser. I can see that I get a session Id. >> > 2. Then copying the URL from browser 1 into browser two. >> > 3. And I can open it with the pasted URL. And a new session id is >> created. >> > >> > Does this not work on bookmarkable pages? Both my pages have the >> following >> > constructors. >> > >> > >> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org> >> > >> >> On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson < >> >> magnus.r.karls...@gmail.com> wrote: >> >> >> >> > Thanks for your fast reply! >> >> > >> >> > I have tested CryptoMapper, but as far as I can see the CryptoMapper >> >> does >> >> > not return unique URL for each session, as suggested by OWASP >> >> > >> >> >> >> The session id is used to encrypt/decrypt the url segment. >> >> If you make a request with encrypted url from a new browser it won't >> let >> >> you in. >> >> >> >> >> >> > >> >> > "The synchronizer token pattern requires the generating of random >> >> > "challenge" tokens that are associated with the user's current >> session." >> >> > >> >> > Is this correct? >> >> > >> >> > if yes, is there any way to accomplish this? >> >> > >> >> > >> >> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org> >> >> > >> >> > > Hi, >> >> > > >> >> > > >> >> > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson < >> >> > > magnus.r.karls...@gmail.com> wrote: >> >> > > >> >> > > > Hi, >> >> > > > >> >> > > > I'm looking for protection against CSRF and found and old issue >> for >> >> > > Apache >> >> > > > Wicket 1.3.4. >> >> > > > >> >> > > > https://issues.apache.org/jira/browse/WICKET-1782 >> >> > > > >> >> > > > And as far as have understood the Apache Wicket does not support >> >> > > > Synchronizer Token Pattern, as suggested at >> >> > > > >> >> > > > >> >> > > > >> >> > > >> >> > >> >> >> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet >> >> > > > >> >> > > > but did in Apache Wicket 1.3 supported >> >> > > CryptedUrlWebRequestCodingStrategy, >> >> > > > So now my question. >> >> > > > >> >> > > > - Does Apache Wicket 6 support >> CryptedUrlWebRequestCodingStrategy? >> >> > Cannot >> >> > > > find the CryptedUrlWebRequestCodingStrategy class? If the class >> have >> >> > been >> >> > > > renamed, please submit an example how to use this new class. >> >> > > > >> >> > > >> >> > > IRequestCodingStrategy has been reworked to IRequestMapper in >> Wicket >> >> > 1.5.0. >> >> > > The class you need is CryptoMapper. >> >> > > Please have a look at >> >> > > >> >> > > >> >> > >> >> >> https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper >> >> > > >> >> > > >> >> > > > >> >> > > > - Does Apache Wicket 6 support any other solution to hinder CSRF? >> >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > -- >> >> > > > Med vänliga hälsningar >> >> > > > Magnus K Karlsson >> >> > > > >> >> > > > Mobile: +46 (0)70 218 00 84 >> >> > > > Email: magnus.r.karls...@gmail.com >> >> > > > Blog: magnus-k-karlsson.blogspot.com >> >> > > > >> >> > > >> >> > >> >> > >> >> > >> >> > -- >> >> > Med vänliga hälsningar >> >> > Magnus K Karlsson >> >> > >> >> > Mobile: +46 (0)70 218 00 84 >> >> > Email: magnus.r.karls...@gmail.com >> >> > Blog: magnus-k-karlsson.blogspot.com >> >> > >> >> >> > >> > >> > >> > -- >> > Med vänliga hälsningar >> > Magnus K Karlsson >> > >> > Mobile: +46 (0)70 218 00 84 >> > Email: magnus.r.karls...@gmail.com >> > Blog: magnus-k-karlsson.blogspot.com >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> > For additional commands, e-mail: users-h...@wicket.apache.org >> > >> > > > > -- > Med vänliga hälsningar > Magnus K Karlsson > > Mobile: +46 (0)70 218 00 84 > Email: magnus.r.karls...@gmail.com > Blog: magnus-k-karlsson.blogspot.com > -- Med vänliga hälsningar Magnus K Karlsson Mobile: +46 (0)70 218 00 84 Email: magnus.r.karls...@gmail.com Blog: magnus-k-karlsson.blogspot.com