I just have checked CsrfPreventionRequestCycleListener with overriden isChecked and it produces no errors
I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :) On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mgrigo...@apache.org> wrote: > Hi Maxim, > > You can use > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() { > @Override > protected boolean isChecked(IRequestHandler handler) > { > if (handler instanceof WebSocketRequestHandler || handler instanceof > WebSocketMessageBroadcastHandler) { > return false; > } > return super.isChecked(handler); > } > }); > > > The upgrade request has a proper Origin header: > > > 1. Accept-Encoding: > gzip, deflate, sdch, br > 2. Accept-Language: > en-US,en;q=0.8,bg;q=0.6 > 3. Cache-Control: > no-cache > 4. Connection: > Upgrade > 5. Cookie: > .... > 6. DNT: > 1 > 7. Host: > localhost:8080 > 8. Origin: > http://localhost:8080 > 9. Pragma: > no-cache > 10. Sec-WebSocket-Extensions: > permessage-deflate; client_max_window_bits > 11. Sec-WebSocket-Key: > FcSNIsIh3HO95UGmMUA27g== > 12. Sec-WebSocket-Version: > 13 > 13. Upgrade: > websocket > 14. User-Agent: > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/57.0.2987.110 Safari/537.36 > 15. > > But the following communication is via the WebSocket connection and the > packets there do not bring request headers. > Wicket Native WebSocket module creates WebSocketRequest for each WS message > and those do no have request headers, so they can be safely ignored. > Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in > wicket-native-websocket-core and recommend its usage when the app uses > WebSockets ?! > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <solomax...@gmail.com> > wrote: > >> Example project demonstrating it is here: >> https://github.com/solomax/ajax-download >> >> >> html with WebSocket.send: >> https://github.com/solomax/ajax-download/commit/ >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff- >> 217ea4d3217197ce4ece382e050a7302R26 >> >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <solomax...@gmail.com> >> wrote: >> > Thanks a lot for checking Martin, >> > >> > The issue seems to be caused by following code in *.html (reproducible >> > using quickstart) >> > >> > <script type="text/javascript"> >> > $(function() { >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, >> function() { >> > Wicket.WebSocket.send("socketConnected"); >> > }); >> > }); >> > </script> >> > >> > I guess I need to manually set missing headers in such call >> > >> > Can you please help to set necessary headers? >> > >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mgrigo...@apache.org> >> wrote: >> >> Hi Maxim, >> >> >> >> Just adding getRequestCycleListeners().add(new >> >> CsrfPreventionRequestCycleListener()); >> >> to org.apache.wicket.examples.websocket.JSR356Application#init() >> doesn't >> >> lead to any error. >> >> >> >> Martin Grigorov >> >> Wicket Training and Consulting >> >> https://twitter.com/mtgrigorov >> >> >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <solomax...@gmail.com >> > >> >> wrote: >> >> >> >>> Hello Martin, >> >>> >> >>> were you able to take a look at it? >> >>> I was hoping to have M6 with working Csrf+WebSockets .... >> >>> >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik < >> solomax...@gmail.com> >> >>> wrote: >> >>> > Thanks a million, Martin :) >> >>> > >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov < >> mgrigo...@apache.org> >> >>> wrote: >> >>> >> Hi Maxim, >> >>> >> >> >>> >> I don't use this combination. >> >>> >> But I will try to test it soon and see what can be done. >> >>> >> >> >>> >> Martin Grigorov >> >>> >> Wicket Training and Consulting >> >>> >> https://twitter.com/mtgrigorov >> >>> >> >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik < >> >>> solomax...@gmail.com> >> >>> >> wrote: >> >>> >> >> >>> >>> Does anybody uses this filter? >> >>> >>> >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik < >> >>> solomax...@gmail.com> >> >>> >>> wrote: >> >>> >>> > Hello All, >> >>> >>> > >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our >> >>> >>> application >> >>> >>> > everything seems to work except for Websockets :( >> >>> >>> > >> >>> >>> > Now I'm getting >> >>> >>> > >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9] >> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener >> - >> >>> >>> > Possible CSRF attack, request URL: >> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket- >> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication, >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not >> >>> >>> > correspond to request >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9] >> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP >> error >> >>> >>> > response in WebSocket communication would not be processed by the >> >>> >>> > browser! If you need to send the error code and message to the >> client >> >>> >>> > then configure custom WebSocketResponse via >> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and >> override >> >>> >>> > #sendError() method to write them in an appropriate format for >> your >> >>> >>> > application. The ignored error code is '400' and the message: >> 'Origin >> >>> >>> > does not correspond to request'. >> >>> >>> > >> >>> >>> > in the logs ... >> >>> >>> > What should I do to set Origin for Websockets? >> >>> >>> > >> >>> >>> > -- >> >>> >>> > WBR >> >>> >>> > Maxim aka solomax >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> -- >> >>> >>> WBR >> >>> >>> Maxim aka solomax >> >>> >>> >> >>> >>> ------------------------------------------------------------ >> --------- >> >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org >> >>> >>> >> >>> >>> >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > WBR >> >>> > Maxim aka solomax >> >>> >> >>> >> >>> >> >>> -- >> >>> WBR >> >>> Maxim aka solomax >> >>> >> >>> --------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> >>> For additional commands, e-mail: users-h...@wicket.apache.org >> >>> >> >>> >> > >> > >> > >> > -- >> > WBR >> > Maxim aka solomax >> >> >> >> -- >> WBR >> Maxim aka solomax >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> -- WBR Maxim aka solomax --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org