I just have checked CsrfPreventionRequestCycleListener with overriden
isChecked and it produces no errors
I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :)
On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mgrigo...@apache.org> wrote:
> Hi Maxim,
>
> You can use
>
> getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {
> @Override
> protected boolean isChecked(IRequestHandler handler)
> {
> if (handler instanceof WebSocketRequestHandler || handler instanceof
> WebSocketMessageBroadcastHandler) {
> return false;
> }
> return super.isChecked(handler);
> }
> });
>
>
> The upgrade request has a proper Origin header:
>
>
> 1. Accept-Encoding:
> gzip, deflate, sdch, br
> 2. Accept-Language:
> en-US,en;q=0.8,bg;q=0.6
> 3. Cache-Control:
> no-cache
> 4. Connection:
> Upgrade
> 5. Cookie:
> ....
> 6. DNT:
> 1
> 7. Host:
> localhost:8080
> 8. Origin:
> http://localhost:8080
> 9. Pragma:
> no-cache
> 10. Sec-WebSocket-Extensions:
> permessage-deflate; client_max_window_bits
> 11. Sec-WebSocket-Key:
> FcSNIsIh3HO95UGmMUA27g==
> 12. Sec-WebSocket-Version:
> 13
> 13. Upgrade:
> websocket
> 14. User-Agent:
> Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/57.0.2987.110 Safari/537.36
> 15.
>
> But the following communication is via the WebSocket connection and the
> packets there do not bring request headers.
> Wicket Native WebSocket module creates WebSocketRequest for each WS message
> and those do no have request headers, so they can be safely ignored.
> Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in
> wicket-native-websocket-core and recommend its usage when the app uses
> WebSockets ?!
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <solomax...@gmail.com>
> wrote:
>
>> Example project demonstrating it is here:
>> https://github.com/solomax/ajax-download
>>
>>
>> html with WebSocket.send:
>> https://github.com/solomax/ajax-download/commit/
>> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
>> 217ea4d3217197ce4ece382e050a7302R26
>>
>> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <solomax...@gmail.com>
>> wrote:
>> > Thanks a lot for checking Martin,
>> >
>> > The issue seems to be caused by following code in *.html (reproducible
>> > using quickstart)
>> >
>> > <script type="text/javascript">
>> > $(function() {
>> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
>> function() {
>> > Wicket.WebSocket.send("socketConnected");
>> > });
>> > });
>> > </script>
>> >
>> > I guess I need to manually set missing headers in such call
>> >
>> > Can you please help to set necessary headers?
>> >
>> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mgrigo...@apache.org>
>> wrote:
>> >> Hi Maxim,
>> >>
>> >> Just adding getRequestCycleListeners().add(new
>> >> CsrfPreventionRequestCycleListener());
>> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
>> doesn't
>> >> lead to any error.
>> >>
>> >> Martin Grigorov
>> >> Wicket Training and Consulting
>> >> https://twitter.com/mtgrigorov
>> >>
>> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <solomax...@gmail.com
>> >
>> >> wrote:
>> >>
>> >>> Hello Martin,
>> >>>
>> >>> were you able to take a look at it?
>> >>> I was hoping to have M6 with working Csrf+WebSockets ....
>> >>>
>> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
>> solomax...@gmail.com>
>> >>> wrote:
>> >>> > Thanks a million, Martin :)
>> >>> >
>> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
>> mgrigo...@apache.org>
>> >>> wrote:
>> >>> >> Hi Maxim,
>> >>> >>
>> >>> >> I don't use this combination.
>> >>> >> But I will try to test it soon and see what can be done.
>> >>> >>
>> >>> >> Martin Grigorov
>> >>> >> Wicket Training and Consulting
>> >>> >> https://twitter.com/mtgrigorov
>> >>> >>
>> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
>> >>> solomax...@gmail.com>
>> >>> >> wrote:
>> >>> >>
>> >>> >>> Does anybody uses this filter?
>> >>> >>>
>> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
>> >>> solomax...@gmail.com>
>> >>> >>> wrote:
>> >>> >>> > Hello All,
>> >>> >>> >
>> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
>> >>> >>> application
>> >>> >>> > everything seems to work except for Websockets :(
>> >>> >>> >
>> >>> >>> > Now I'm getting
>> >>> >>> >
>> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
>> -
>> >>> >>> > Possible CSRF attack, request URL:
>> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
>> >>> >>> > correspond to request
>> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP
>> error
>> >>> >>> > response in WebSocket communication would not be processed by the
>> >>> >>> > browser! If you need to send the error code and message to the
>> client
>> >>> >>> > then configure custom WebSocketResponse via
>> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
>> override
>> >>> >>> > #sendError() method to write them in an appropriate format for
>> your
>> >>> >>> > application. The ignored error code is '400' and the message:
>> 'Origin
>> >>> >>> > does not correspond to request'.
>> >>> >>> >
>> >>> >>> > in the logs ...
>> >>> >>> > What should I do to set Origin for Websockets?
>> >>> >>> >
>> >>> >>> > --
>> >>> >>> > WBR
>> >>> >>> > Maxim aka solomax
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>> --
>> >>> >>> WBR
>> >>> >>> Maxim aka solomax
>> >>> >>>
>> >>> >>> ------------------------------------------------------------
>> ---------
>> >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org
>> >>> >>>
>> >>> >>>
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > WBR
>> >>> > Maxim aka solomax
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> WBR
>> >>> Maxim aka solomax
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> >>> For additional commands, e-mail: users-h...@wicket.apache.org
>> >>>
>> >>>
>> >
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>>
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
