i might have solved the problem the default ICryptFactory is
/**
* Default crypt factory. This factory will instantiate a {@link
SunJceCrypt} once and cache it for
* all further invocations of {@link #newCrypt()}.
*
* @author Igor Vaynberg (ivaynberg)
*/
public class CachingSunJceCryptFactory extends CryptFactoryCachingDecorator
and what I want is, i.e. unique URL for each session, is
/**
* Crypt factory that produces {@link SunJceCrypt} instances based on http
session-specific
* encryption key. This allows each user to have their own encryption key,
hardening against CSRF
* attacks.
*
* Note that the use of this crypt factory will result in an immediate
creation of a http session
*
* @author igor.vaynberg
*/
public class KeyInSessionSunJceCryptFactory implements ICryptFactory
Now I just need to figure out how to configure it.
2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com>
> Start will not work, since security is enabled. I'm attaching a new zip
> file, with security disabled. And added getSession().bind() and I can
> verify that the Session Id are different in the two different browsers.
>
> -----------------------
> web.xml
> -----------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0">
>
> <display-name>example-wicket</display-name>
>
> <filter>
> <filter-name>wicket.example-wicket</filter-name>
>
> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
> <init-param>
> <param-name>applicationClassName</param-name>
> <param-value>se.msc.examples.WicketApplication</param-value>
> </init-param>
> <init-param>
> <param-name>configuration</param-name>
> <!-- <param-value>development</param-value> -->
> <param-value>deployment</param-value>
> </init-param>
> <init-param>
> <param-name>ignorePaths</param-name>
> <param-value>/*.jsp</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>wicket.example-wicket</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> <session-config>
> <!-- Session timeout after X MINUTES after no user interaction. -->
> <session-timeout>15</session-timeout>
> <cookie-config>
> <!-- XSS attack: make sure that cookie cannot be accessed via
> client side scripts -->
> <http-only>true</http-only>
> <!-- CSRF attack, session hijack attack: require cookie can
> only be used for SSL communication.
> <secure>true</secure>-->
> </cookie-config>
> <!-- Do not use URL, since then it can be stored in numerous
> places: browser history, proxy server log, referrer logs, web logs, etc. -->
> <tracking-mode>COOKIE</tracking-mode>
> </session-config>
>
> </web-app>
>
> -----------------------
> jboss-web.xml
> -----------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
> <context-root>example-wicket</context-root>
> </jboss-web>
>
> I still get the same result
>
>
>
> 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>
>> Hi,
>>
>> Your app fails to start due to:
>> WARN - AbstractLifeCycle - FAILED
>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d:
>> java.lang.IllegalStateException: No LoginService for
>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in
>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d
>> java.lang.IllegalStateException: No LoginService for
>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in
>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d
>> at
>>
>> org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:44)
>> at
>>
>> org.eclipse.jetty.security.authentication.FormAuthenticator.setConfiguration(FormAuthenticator.java:103)
>> ...
>>
>> I see it is prepared for JBoss.
>> I tried to run it with Jetty's Start.java.
>>
>> Add getSession().bind() before checking the ids.
>>
>>
>>
>>
>> On Tue, May 28, 2013 at 11:51 AM, Magnus K Karlsson <
>> magnus.r.karls...@gmail.com> wrote:
>>
>> > That is what I'm trying to do. I have created a simple Apach Wicket
>> 6.8.0
>> > project. I have attached it. I'm not sure if it will be posted to list.
>> >
>> > public class WicketApplication extends WebApplication {
>> > ...
>> > public void init() {
>> > super.init();
>> > IRequestMapper cryptoMapper;
>> > cryptoMapper = new CryptoMapper(getRootRequestMapper(), this);
>> > setRootRequestMapper(cryptoMapper);
>> > }
>> >
>> > public final HttpServletRequest getHttpServletRequest() {
>> > return (HttpServletRequest) getRequest().getContainerRequest();
>> > }
>> >
>> > protected final Request getRequest() {
>> > RequestCycle requestCycle = RequestCycle.get();
>> > if (requestCycle == null) {
>> > throw new WicketRuntimeException(
>> > "No RequestCycle is currently set!");
>> > }
>> > return requestCycle.getRequest();
>> > }
>> > }
>> >
>> > I have two simple web pages that prints Session Id
>> >
>> > public class ListPersons extends WebPage {
>> >
>> > private static final long serialVersionUID = 1L;
>> >
>> > public ListPersons(final PageParameters parameters) {
>> > super(parameters);
>> >
>> > add(new Label("label1", getSession().getId()));
>> >
>> > add(new Label("label2",
>> > WicketApplication.get().getHttpServletRequest()
>> > .getSession().getId()));
>> > }
>> >
>> > I have enabled security, but I'm not sure If that is neccessary, I only
>> > want to make sure that I a HTTP Session is created and that they are
>> > different for the two browser.
>> >
>> > I have two browser Firefox and Chrome.
>> > 1. I login in the first browser. I can see that I get a session Id.
>> > 2. Then copying the URL from browser 1 into browser two.
>> > 3. And I can open it with the pasted URL. And a new session id is
>> created.
>> >
>> > Does this not work on bookmarkable pages? Both my pages have the
>> following
>> > constructors.
>> >
>> >
>> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>> >
>> >> On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson <
>> >> magnus.r.karls...@gmail.com> wrote:
>> >>
>> >> > Thanks for your fast reply!
>> >> >
>> >> > I have tested CryptoMapper, but as far as I can see the CryptoMapper
>> >> does
>> >> > not return unique URL for each session, as suggested by OWASP
>> >> >
>> >>
>> >> The session id is used to encrypt/decrypt the url segment.
>> >> If you make a request with encrypted url from a new browser it won't
>> let
>> >> you in.
>> >>
>> >>
>> >> >
>> >> > "The synchronizer token pattern requires the generating of random
>> >> > "challenge" tokens that are associated with the user's current
>> session."
>> >> >
>> >> > Is this correct?
>> >> >
>> >> > if yes, is there any way to accomplish this?
>> >> >
>> >> >
>> >> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>> >> >
>> >> > > Hi,
>> >> > >
>> >> > >
>> >> > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson <
>> >> > > magnus.r.karls...@gmail.com> wrote:
>> >> > >
>> >> > > > Hi,
>> >> > > >
>> >> > > > I'm looking for protection against CSRF and found and old issue
>> for
>> >> > > Apache
>> >> > > > Wicket 1.3.4.
>> >> > > >
>> >> > > > https://issues.apache.org/jira/browse/WICKET-1782
>> >> > > >
>> >> > > > And as far as have understood the Apache Wicket does not support
>> >> > > > Synchronizer Token Pattern, as suggested at
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > >
>> >> >
>> >>
>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
>> >> > > >
>> >> > > > but did in Apache Wicket 1.3 supported
>> >> > > CryptedUrlWebRequestCodingStrategy,
>> >> > > > So now my question.
>> >> > > >
>> >> > > > - Does Apache Wicket 6 support
>> CryptedUrlWebRequestCodingStrategy?
>> >> > Cannot
>> >> > > > find the CryptedUrlWebRequestCodingStrategy class? If the class
>> have
>> >> > been
>> >> > > > renamed, please submit an example how to use this new class.
>> >> > > >
>> >> > >
>> >> > > IRequestCodingStrategy has been reworked to IRequestMapper in
>> Wicket
>> >> > 1.5.0.
>> >> > > The class you need is CryptoMapper.
>> >> > > Please have a look at
>> >> > >
>> >> > >
>> >> >
>> >>
>> https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper
>> >> > >
>> >> > >
>> >> > > >
>> >> > > > - Does Apache Wicket 6 support any other solution to hinder CSRF?
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > > --
>> >> > > > Med vänliga hälsningar
>> >> > > > Magnus K Karlsson
>> >> > > >
>> >> > > > Mobile: +46 (0)70 218 00 84
>> >> > > > Email: magnus.r.karls...@gmail.com
>> >> > > > Blog: magnus-k-karlsson.blogspot.com
>> >> > > >
>> >> > >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Med vänliga hälsningar
>> >> > Magnus K Karlsson
>> >> >
>> >> > Mobile: +46 (0)70 218 00 84
>> >> > Email: magnus.r.karls...@gmail.com
>> >> > Blog: magnus-k-karlsson.blogspot.com
>> >> >
>> >>
>> >
>> >
>> >
>> > --
>> > Med vänliga hälsningar
>> > Magnus K Karlsson
>> >
>> > Mobile: +46 (0)70 218 00 84
>> > Email: magnus.r.karls...@gmail.com
>> > Blog: magnus-k-karlsson.blogspot.com
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> > For additional commands, e-mail: users-h...@wicket.apache.org
>> >
>>
>
>
>
> --
> Med vänliga hälsningar
> Magnus K Karlsson
>
> Mobile: +46 (0)70 218 00 84
> Email: magnus.r.karls...@gmail.com
> Blog: magnus-k-karlsson.blogspot.com
>
--
Med vänliga hälsningar
Magnus K Karlsson
Mobile: +46 (0)70 218 00 84
Email: magnus.r.karls...@gmail.com
Blog: magnus-k-karlsson.blogspot.com
