The solution to generate unique URL for each session is to change the default ICryptFactory to KeyInSessionSunJceCryptFactory.
getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory()); setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this)); 2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com> > i might have solved the problem the default ICryptFactory is > > /** > * Default crypt factory. This factory will instantiate a {@link > SunJceCrypt} once and cache it for > * all further invocations of {@link #newCrypt()}. > * > * @author Igor Vaynberg (ivaynberg) > */ > public class CachingSunJceCryptFactory extends CryptFactoryCachingDecorator > > and what I want is, i.e. unique URL for each session, is > > /** > * Crypt factory that produces {@link SunJceCrypt} instances based on http > session-specific > * encryption key. This allows each user to have their own encryption key, > hardening against CSRF > * attacks. > * > * Note that the use of this crypt factory will result in an immediate > creation of a http session > * > * @author igor.vaynberg > */ > public class KeyInSessionSunJceCryptFactory implements ICryptFactory > > Now I just need to figure out how to configure it. > > > 2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com> > >> Start will not work, since security is enabled. I'm attaching a new zip >> file, with security disabled. And added getSession().bind() and I can >> verify that the Session Id are different in the two different browsers. >> >> ----------------------- >> web.xml >> ----------------------- >> <?xml version="1.0" encoding="UTF-8"?> >> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi=" >> http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" >> http://java.sun.com/xml/ns/javaee >> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> >> >> <display-name>example-wicket</display-name> >> >> <filter> >> <filter-name>wicket.example-wicket</filter-name> >> >> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class> >> <init-param> >> <param-name>applicationClassName</param-name> >> <param-value>se.msc.examples.WicketApplication</param-value> >> </init-param> >> <init-param> >> <param-name>configuration</param-name> >> <!-- <param-value>development</param-value> --> >> <param-value>deployment</param-value> >> </init-param> >> <init-param> >> <param-name>ignorePaths</param-name> >> <param-value>/*.jsp</param-value> >> </init-param> >> </filter> >> >> <filter-mapping> >> <filter-name>wicket.example-wicket</filter-name> >> <url-pattern>/*</url-pattern> >> </filter-mapping> >> >> <session-config> >> <!-- Session timeout after X MINUTES after no user interaction. >> --> >> <session-timeout>15</session-timeout> >> <cookie-config> >> <!-- XSS attack: make sure that cookie cannot be accessed via >> client side scripts --> >> <http-only>true</http-only> >> <!-- CSRF attack, session hijack attack: require cookie can >> only be used for SSL communication. >> <secure>true</secure>--> >> </cookie-config> >> <!-- Do not use URL, since then it can be stored in numerous >> places: browser history, proxy server log, referrer logs, web logs, etc. --> >> <tracking-mode>COOKIE</tracking-mode> >> </session-config> >> >> </web-app> >> >> ----------------------- >> jboss-web.xml >> ----------------------- >> <?xml version="1.0" encoding="UTF-8"?> >> <jboss-web> >> <context-root>example-wicket</context-root> >> </jboss-web> >> >> I still get the same result >> >> >> >> 2013/5/28 Martin Grigorov <mgrigo...@apache.org> >> >>> Hi, >>> >>> Your app fails to start due to: >>> WARN - AbstractLifeCycle - FAILED >>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d: >>> java.lang.IllegalStateException: No LoginService for >>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in >>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d >>> java.lang.IllegalStateException: No LoginService for >>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in >>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d >>> at >>> >>> org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:44) >>> at >>> >>> org.eclipse.jetty.security.authentication.FormAuthenticator.setConfiguration(FormAuthenticator.java:103) >>> ... >>> >>> I see it is prepared for JBoss. >>> I tried to run it with Jetty's Start.java. >>> >>> Add getSession().bind() before checking the ids. >>> >>> >>> >>> >>> On Tue, May 28, 2013 at 11:51 AM, Magnus K Karlsson < >>> magnus.r.karls...@gmail.com> wrote: >>> >>> > That is what I'm trying to do. I have created a simple Apach Wicket >>> 6.8.0 >>> > project. I have attached it. I'm not sure if it will be posted to list. >>> > >>> > public class WicketApplication extends WebApplication { >>> > ... >>> > public void init() { >>> > super.init(); >>> > IRequestMapper cryptoMapper; >>> > cryptoMapper = new CryptoMapper(getRootRequestMapper(), this); >>> > setRootRequestMapper(cryptoMapper); >>> > } >>> > >>> > public final HttpServletRequest getHttpServletRequest() { >>> > return (HttpServletRequest) getRequest().getContainerRequest(); >>> > } >>> > >>> > protected final Request getRequest() { >>> > RequestCycle requestCycle = RequestCycle.get(); >>> > if (requestCycle == null) { >>> > throw new WicketRuntimeException( >>> > "No RequestCycle is currently set!"); >>> > } >>> > return requestCycle.getRequest(); >>> > } >>> > } >>> > >>> > I have two simple web pages that prints Session Id >>> > >>> > public class ListPersons extends WebPage { >>> > >>> > private static final long serialVersionUID = 1L; >>> > >>> > public ListPersons(final PageParameters parameters) { >>> > super(parameters); >>> > >>> > add(new Label("label1", getSession().getId())); >>> > >>> > add(new Label("label2", >>> > WicketApplication.get().getHttpServletRequest() >>> > .getSession().getId())); >>> > } >>> > >>> > I have enabled security, but I'm not sure If that is neccessary, I only >>> > want to make sure that I a HTTP Session is created and that they are >>> > different for the two browser. >>> > >>> > I have two browser Firefox and Chrome. >>> > 1. I login in the first browser. I can see that I get a session Id. >>> > 2. Then copying the URL from browser 1 into browser two. >>> > 3. And I can open it with the pasted URL. And a new session id is >>> created. >>> > >>> > Does this not work on bookmarkable pages? Both my pages have the >>> following >>> > constructors. >>> > >>> > >>> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org> >>> > >>> >> On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson < >>> >> magnus.r.karls...@gmail.com> wrote: >>> >> >>> >> > Thanks for your fast reply! >>> >> > >>> >> > I have tested CryptoMapper, but as far as I can see the CryptoMapper >>> >> does >>> >> > not return unique URL for each session, as suggested by OWASP >>> >> > >>> >> >>> >> The session id is used to encrypt/decrypt the url segment. >>> >> If you make a request with encrypted url from a new browser it won't >>> let >>> >> you in. >>> >> >>> >> >>> >> > >>> >> > "The synchronizer token pattern requires the generating of random >>> >> > "challenge" tokens that are associated with the user's current >>> session." >>> >> > >>> >> > Is this correct? >>> >> > >>> >> > if yes, is there any way to accomplish this? >>> >> > >>> >> > >>> >> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org> >>> >> > >>> >> > > Hi, >>> >> > > >>> >> > > >>> >> > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson < >>> >> > > magnus.r.karls...@gmail.com> wrote: >>> >> > > >>> >> > > > Hi, >>> >> > > > >>> >> > > > I'm looking for protection against CSRF and found and old issue >>> for >>> >> > > Apache >>> >> > > > Wicket 1.3.4. >>> >> > > > >>> >> > > > https://issues.apache.org/jira/browse/WICKET-1782 >>> >> > > > >>> >> > > > And as far as have understood the Apache Wicket does not support >>> >> > > > Synchronizer Token Pattern, as suggested at >>> >> > > > >>> >> > > > >>> >> > > > >>> >> > > >>> >> > >>> >> >>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet >>> >> > > > >>> >> > > > but did in Apache Wicket 1.3 supported >>> >> > > CryptedUrlWebRequestCodingStrategy, >>> >> > > > So now my question. >>> >> > > > >>> >> > > > - Does Apache Wicket 6 support >>> CryptedUrlWebRequestCodingStrategy? >>> >> > Cannot >>> >> > > > find the CryptedUrlWebRequestCodingStrategy class? If the class >>> have >>> >> > been >>> >> > > > renamed, please submit an example how to use this new class. >>> >> > > > >>> >> > > >>> >> > > IRequestCodingStrategy has been reworked to IRequestMapper in >>> Wicket >>> >> > 1.5.0. >>> >> > > The class you need is CryptoMapper. >>> >> > > Please have a look at >>> >> > > >>> >> > > >>> >> > >>> >> >>> https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper >>> >> > > >>> >> > > >>> >> > > > >>> >> > > > - Does Apache Wicket 6 support any other solution to hinder >>> CSRF? >>> >> > > > >>> >> > > > >>> >> > > > >>> >> > > > >>> >> > > > -- >>> >> > > > Med vänliga hälsningar >>> >> > > > Magnus K Karlsson >>> >> > > > >>> >> > > > Mobile: +46 (0)70 218 00 84 >>> >> > > > Email: magnus.r.karls...@gmail.com >>> >> > > > Blog: magnus-k-karlsson.blogspot.com >>> >> > > > >>> >> > > >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > Med vänliga hälsningar >>> >> > Magnus K Karlsson >>> >> > >>> >> > Mobile: +46 (0)70 218 00 84 >>> >> > Email: magnus.r.karls...@gmail.com >>> >> > Blog: magnus-k-karlsson.blogspot.com >>> >> > >>> >> >>> > >>> > >>> > >>> > -- >>> > Med vänliga hälsningar >>> > Magnus K Karlsson >>> > >>> > Mobile: +46 (0)70 218 00 84 >>> > Email: magnus.r.karls...@gmail.com >>> > Blog: magnus-k-karlsson.blogspot.com >>> > >>> > >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> > For additional commands, e-mail: users-h...@wicket.apache.org >>> > >>> >> >> >> >> -- >> Med vänliga hälsningar >> Magnus K Karlsson >> >> Mobile: +46 (0)70 218 00 84 >> Email: magnus.r.karls...@gmail.com >> Blog: magnus-k-karlsson.blogspot.com >> > > > > -- > Med vänliga hälsningar > Magnus K Karlsson > > Mobile: +46 (0)70 218 00 84 > Email: magnus.r.karls...@gmail.com > Blog: magnus-k-karlsson.blogspot.com > -- Med vänliga hälsningar Magnus K Karlsson Mobile: +46 (0)70 218 00 84 Email: magnus.r.karls...@gmail.com Blog: magnus-k-karlsson.blogspot.com