Re: Protection against CSRF (Cross-Site Request Forgery) attacks in Apache Wicket 6

Tue, 28 May 2013 07:43:02 -0700 

The solution to generate unique URL for each session is to change the
default ICryptFactory to  KeyInSessionSunJceCryptFactory.

        getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory());
        setRootRequestMapper(new CryptoMapper(getRootRequestMapper(),
this));


2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com>

> i might have solved the problem the default ICryptFactory is
>
> /**
>  * Default crypt factory. This factory will instantiate a {@link
> SunJceCrypt} once and cache it for
>  * all further invocations of {@link #newCrypt()}.
>  *
>  * @author Igor Vaynberg (ivaynberg)
>  */
> public class CachingSunJceCryptFactory extends CryptFactoryCachingDecorator
>
> and what I want is, i.e. unique URL for each session, is
>
> /**
>  * Crypt factory that produces {@link SunJceCrypt} instances based on http
> session-specific
>  * encryption key. This allows each user to have their own encryption key,
> hardening against CSRF
>  * attacks.
>  *
>  * Note that the use of this crypt factory will result in an immediate
> creation of a http session
>  *
>  * @author igor.vaynberg
>  */
> public class KeyInSessionSunJceCryptFactory implements ICryptFactory
>
> Now I just need to figure out how to configure it.
>
>
> 2013/5/28 Magnus K Karlsson <magnus.r.karls...@gmail.com>
>
>> Start will not work, since security is enabled. I'm attaching a new zip
>> file, with security disabled. And added getSession().bind() and I can
>> verify that the Session Id are different in the two different browsers.
>>
>> -----------------------
>> web.xml
>> -----------------------
>> <?xml version="1.0" encoding="UTF-8"?>
>> <web-app xmlns="http://java.sun.com/xml/ns/javaee"; xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; version="3.0">
>>
>>     <display-name>example-wicket</display-name>
>>
>>     <filter>
>>         <filter-name>wicket.example-wicket</filter-name>
>>
>> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
>>         <init-param>
>>             <param-name>applicationClassName</param-name>
>>             <param-value>se.msc.examples.WicketApplication</param-value>
>>         </init-param>
>>         <init-param>
>>             <param-name>configuration</param-name>
>>             <!-- <param-value>development</param-value> -->
>>             <param-value>deployment</param-value>
>>         </init-param>
>>         <init-param>
>>             <param-name>ignorePaths</param-name>
>>             <param-value>/*.jsp</param-value>
>>         </init-param>
>>     </filter>
>>
>>     <filter-mapping>
>>         <filter-name>wicket.example-wicket</filter-name>
>>         <url-pattern>/*</url-pattern>
>>     </filter-mapping>
>>
>>     <session-config>
>>         <!-- Session timeout after X MINUTES after no user interaction.
>> -->
>>         <session-timeout>15</session-timeout>
>>         <cookie-config>
>>             <!-- XSS attack: make sure that cookie cannot be accessed via
>> client side scripts -->
>>             <http-only>true</http-only>
>>             <!-- CSRF attack, session hijack attack: require cookie can
>> only be used for SSL communication.
>>             <secure>true</secure>-->
>>         </cookie-config>
>>         <!-- Do not use URL, since then it can be stored in numerous
>> places: browser history, proxy server log, referrer logs, web logs, etc. -->
>>         <tracking-mode>COOKIE</tracking-mode>
>>     </session-config>
>>
>> </web-app>
>>
>> -----------------------
>> jboss-web.xml
>> -----------------------
>> <?xml version="1.0" encoding="UTF-8"?>
>> <jboss-web>
>>     <context-root>example-wicket</context-root>
>> </jboss-web>
>>
>> I still get the same result
>>
>>
>>
>> 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>>
>>> Hi,
>>>
>>> Your app fails to start due to:
>>> WARN  - AbstractLifeCycle          - FAILED
>>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d:
>>> java.lang.IllegalStateException: No LoginService for
>>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in
>>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d
>>> java.lang.IllegalStateException: No LoginService for
>>> org.eclipse.jetty.security.authentication.FormAuthenticator@c163956 in
>>> org.eclipse.jetty.security.ConstraintSecurityHandler@70e434d
>>> at
>>>
>>> org.eclipse.jetty.security.authentication.LoginAuthenticator.setConfiguration(LoginAuthenticator.java:44)
>>>  at
>>>
>>> org.eclipse.jetty.security.authentication.FormAuthenticator.setConfiguration(FormAuthenticator.java:103)
>>> ...
>>>
>>> I see it is prepared for JBoss.
>>> I tried to run it with Jetty's Start.java.
>>>
>>> Add getSession().bind() before checking the ids.
>>>
>>>
>>>
>>>
>>> On Tue, May 28, 2013 at 11:51 AM, Magnus K Karlsson <
>>> magnus.r.karls...@gmail.com> wrote:
>>>
>>> > That is what I'm trying to do. I have created a simple Apach Wicket
>>> 6.8.0
>>> > project. I have attached it. I'm not sure if it will be posted to list.
>>> >
>>> > public class WicketApplication extends WebApplication {
>>> > ...
>>> >     public void init() {
>>> >         super.init();
>>> >         IRequestMapper cryptoMapper;
>>> >         cryptoMapper = new CryptoMapper(getRootRequestMapper(), this);
>>> >         setRootRequestMapper(cryptoMapper);
>>> >     }
>>> >
>>> >     public final HttpServletRequest getHttpServletRequest() {
>>> >         return (HttpServletRequest) getRequest().getContainerRequest();
>>> >     }
>>> >
>>> >     protected final Request getRequest() {
>>> >         RequestCycle requestCycle = RequestCycle.get();
>>> >         if (requestCycle == null) {
>>> >             throw new WicketRuntimeException(
>>> >                     "No RequestCycle is currently set!");
>>> >         }
>>> >         return requestCycle.getRequest();
>>> >     }
>>> > }
>>> >
>>> > I have two simple web pages that prints Session Id
>>> >
>>> > public class ListPersons extends WebPage {
>>> >
>>> >     private static final long serialVersionUID = 1L;
>>> >
>>> >     public ListPersons(final PageParameters parameters) {
>>> >         super(parameters);
>>> >
>>> >         add(new Label("label1", getSession().getId()));
>>> >
>>> >         add(new Label("label2",
>>> > WicketApplication.get().getHttpServletRequest()
>>> >                 .getSession().getId()));
>>> >     }
>>> >
>>> > I have enabled security, but I'm not sure If that is neccessary, I only
>>> > want to make sure that I a HTTP Session is created and that they are
>>> > different for the two browser.
>>> >
>>> > I have two browser Firefox and Chrome.
>>> > 1. I login in the first browser. I can see that I get a session Id.
>>> > 2. Then copying the URL from browser 1 into browser two.
>>> > 3. And I can open it with the pasted URL. And a new session id is
>>> created.
>>> >
>>> > Does this not work on bookmarkable pages? Both my pages have the
>>> following
>>> > constructors.
>>> >
>>> >
>>> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>>> >
>>> >> On Tue, May 28, 2013 at 11:03 AM, Magnus K Karlsson <
>>> >> magnus.r.karls...@gmail.com> wrote:
>>> >>
>>> >> > Thanks for your fast reply!
>>> >> >
>>> >> > I have tested CryptoMapper, but as far as I can see the CryptoMapper
>>> >> does
>>> >> > not return unique URL for each session, as suggested by OWASP
>>> >> >
>>> >>
>>> >> The session id is used to encrypt/decrypt the url segment.
>>> >> If you make a request with encrypted url from a new browser it won't
>>> let
>>> >> you in.
>>> >>
>>> >>
>>> >> >
>>> >> > "The synchronizer token pattern requires the generating of random
>>> >> > "challenge" tokens that are associated with the user's current
>>> session."
>>> >> >
>>> >> > Is this correct?
>>> >> >
>>> >> > if yes, is there any way to accomplish this?
>>> >> >
>>> >> >
>>> >> > 2013/5/28 Martin Grigorov <mgrigo...@apache.org>
>>> >> >
>>> >> > > Hi,
>>> >> > >
>>> >> > >
>>> >> > > On Tue, May 28, 2013 at 10:32 AM, Magnus K Karlsson <
>>> >> > > magnus.r.karls...@gmail.com> wrote:
>>> >> > >
>>> >> > > > Hi,
>>> >> > > >
>>> >> > > > I'm looking for protection against CSRF and found and old issue
>>> for
>>> >> > > Apache
>>> >> > > > Wicket 1.3.4.
>>> >> > > >
>>> >> > > > https://issues.apache.org/jira/browse/WICKET-1782
>>> >> > > >
>>> >> > > > And as far as have understood the Apache Wicket does not support
>>> >> > > > Synchronizer Token Pattern, as suggested at
>>> >> > > >
>>> >> > > >
>>> >> > > >
>>> >> > >
>>> >> >
>>> >>
>>> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
>>> >> > > >
>>> >> > > > but did in Apache Wicket 1.3 supported
>>> >> > > CryptedUrlWebRequestCodingStrategy,
>>> >> > > > So now my question.
>>> >> > > >
>>> >> > > > - Does Apache Wicket 6 support
>>> CryptedUrlWebRequestCodingStrategy?
>>> >> > Cannot
>>> >> > > > find the CryptedUrlWebRequestCodingStrategy class? If the class
>>> have
>>> >> > been
>>> >> > > > renamed, please submit an example how to use this new class.
>>> >> > > >
>>> >> > >
>>> >> > > IRequestCodingStrategy has been reworked to IRequestMapper in
>>> Wicket
>>> >> > 1.5.0.
>>> >> > > The class you need is CryptoMapper.
>>> >> > > Please have a look at
>>> >> > >
>>> >> > >
>>> >> >
>>> >>
>>> https://cwiki.apache.org/confluence/display/WICKET/Request+mapping#Requestmapping-CryptoMapper
>>> >> > >
>>> >> > >
>>> >> > > >
>>> >> > > > - Does Apache Wicket 6 support any other solution to hinder
>>> CSRF?
>>> >> > > >
>>> >> > > >
>>> >> > > >
>>> >> > > >
>>> >> > > > --
>>> >> > > > Med vänliga hälsningar
>>> >> > > > Magnus K Karlsson
>>> >> > > >
>>> >> > > > Mobile: +46 (0)70 218 00 84
>>> >> > > > Email: magnus.r.karls...@gmail.com
>>> >> > > > Blog: magnus-k-karlsson.blogspot.com
>>> >> > > >
>>> >> > >
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Med vänliga hälsningar
>>> >> > Magnus K Karlsson
>>> >> >
>>> >> > Mobile: +46 (0)70 218 00 84
>>> >> > Email: magnus.r.karls...@gmail.com
>>> >> > Blog: magnus-k-karlsson.blogspot.com
>>> >> >
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Med vänliga hälsningar
>>> > Magnus K Karlsson
>>> >
>>> > Mobile: +46 (0)70 218 00 84
>>> > Email: magnus.r.karls...@gmail.com
>>> > Blog: magnus-k-karlsson.blogspot.com
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> > For additional commands, e-mail: users-h...@wicket.apache.org
>>> >
>>>
>>
>>
>>
>> --
>> Med vänliga hälsningar
>> Magnus K Karlsson
>>
>> Mobile: +46 (0)70 218 00 84
>> Email: magnus.r.karls...@gmail.com
>> Blog: magnus-k-karlsson.blogspot.com
>>
>
>
>
> --
> Med vänliga hälsningar
> Magnus K Karlsson
>
> Mobile: +46 (0)70 218 00 84
> Email: magnus.r.karls...@gmail.com
> Blog: magnus-k-karlsson.blogspot.com
>



-- 
Med vänliga hälsningar
Magnus K Karlsson

Mobile: +46 (0)70 218 00 84
Email: magnus.r.karls...@gmail.com
Blog: magnus-k-karlsson.blogspot.com

Reply via email to