Hi, does anyone else have an ideas whats I could do here. Is there anyone out there who's successfully got the CSRF protection up and running in production?
On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com> wrote: > Thanks Martin, > > so I've used this: > > setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new > KeyInSessionSunJceCryptFactory())); > > > public class PostUrlCryptMapper extends CryptoMapper { > > /** > > * @param wrappedMapper > > * @param cryptFactory > > */ > > private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); > > public PostUrlCryptMapper(IRequestMapper wrappedMapper, > > final KeyInSessionSunJceCryptFactory > cryptFactory) { > > super(wrappedMapper, new IProvider<ICrypt>() { > > @Override > > public ICrypt get() { > > return cryptFactory.newCrypt(); > > } > > }); > > } > > > public Url mapHandler(final IRequestHandler requestHandler) > > { > > if (isFormListenerInterfaceRequestHandler(requestHandler)) { > > return super.mapHandler(requestHandler); > > } else { > > return getDelegateMapper().mapHandler(requestHandler); > > } > > } > > > public IRequestHandler mapRequest(final Request request) > > { > > final IRequestHandler requestHandler = getDelegateMapper(). > mapRequest(request); > > if (requestHandler == null) { > > return super.mapRequest(request); > > } > > return requestHandler; > > } > > > /** > > * Returns true, whether the attached component to > ListenerInterfaceRequestHandler is in form container. > > * @param requestHandler > > * @return > > */ > > private boolean isFormListenerInterfaceRequestHandler(final > IRequestHandler requestHandler) { > > if (requestHandler instanceof ListenerInterfaceRequestHandler) { > > ListenerInterfaceRequestHandler > listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) > requestHandler; > > IRequestableComponent c = listenerInterfaceRequestHandler > .getComponent(); > > if (c instanceof Form) { > > log.info("Form found!"); > > return true; > > } > > } > > // else if (requestHandler instanceof > BookmarkableListenerInterfaceRequestHandler) { > > // BookmarkableListenerInterfaceRequestHandler handler = ( > BookmarkableListenerInterfaceRequestHandler) requestHandler; > > // IRequestableComponent c = handler.getComponent(); > > // if (c instanceof Form) { > > // log.info("Form found!"); > > // return true; > > // } > > // } > > > > > > > return false; > > } > > } > > > However what I am finding is that any form on a stateless/bookmarkable > page are not being encrypted. I tried to work around this with the section > of code thats commented out (BookmarkableListenerInterfaceRequestHandler) > . This then encrypts the form action fine, but then I get 2 bits of odd > behaviour: > > > - On pages that are bookmarkable, if there is a constructor that has > PageParameters, the page is just recreated and the submit is ignored (when > pressing submit).If I remove the PageParameter constructor then it works > fine. > > - On stateless pages , again when submitting the form it just recreates > the page > > > public class SomeLoginPage extends WebPage { > > > public SomeLoginPage() { > > setStatelessHint(true); > > add(new FeedbackPanel("feedback")); > > add(new SignInForm("signInForm").setOutputMarkupId(false)); > > > } > > > public final class SignInForm extends StatelessForm<ValueMap> { > > > public SignInForm(final String id) { > > super(id, new CompoundPropertyModel<ValueMap>(new ValueMap())); > > > add(new TextField<String>("username").setOutputMarkupId(false)); > > add(new PasswordTextField("password").setOutputMarkupId(false)); > > } > > > /** > > * > > * @see org.apache.wicket.markup.html.form.Form#onSubmit() > > */ > > > public void onSubmit() { > > ValueMap values = getModelObject(); > > String username = values.getString("username"); > > String password = values.getString("password"); > > > if (signIn(username, password)) { > > ((HubSession) Session.get()).setAdminAthenticated(true); > > ContextUtil.get().setUser(null); > > > setResponsePage(CompanyAdminPage.class); > > > } else { > > // Try the component based localizer first. If not found try the > > // application localizer. Else use the default > > error(getLocalizer().getString("exception.login", this, "Illegal username > password combo")); > > } > > } > > > private boolean signIn(String username, String password) { > > // TODO authentication > > return false; > > } > > > } > > > } > > > > Any ideas? > > > > On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org> > wrote: > >> org.apache.wicket.core.request.handler.ListenerInterfaceRequ >> estHandler#getComponent() >> instanceOf Form >> >> Martin Grigorov >> Wicket Training and Consulting >> https://twitter.com/mtgrigorov >> >> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com> >> wrote: >> >> > Thanks Martin, >> > >> > how can I tell for example if the IPageClassRequestHandler or >> > ListenerInterfaceRequestHandler is for a form? >> > >> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org> >> > wrote: >> > >> > > Hi, >> > > >> > > I don't use any of these so I have no much experience in production >> with >> > > them! >> > > >> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com >> > >> > > wrote: >> > > >> > > > Hi, >> > > > >> > > > I've been trying to use CsrfPreventionRequestCycleListener in >> > > production. >> > > > However we are seeing in the logs that about 30 times a day we get >> the >> > > > request aborted because the clients browsers are not sending the >> > referrer >> > > > header sometimes. Doing some research it seems we cannot rely on the >> > > > clients browser to send the referrer and it could be somewhat buggy >> in >> > > > older browsers. >> > > > >> > > > Does anyone else experience this trouble? >> > > > >> > > > Are there any alternatives? >> > > > >> > > > I did try: >> > > > >> > > > getSecuritySettings().setCryptFactory(new >> > KeyInSessionSunJceCryptFactory >> > > > ()); >> > > > >> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap >> perAsCompound >> > (), >> > > > this)); >> > > > >> > > > However this encrypts everything (resources, urls, etc). Is there a >> way >> > > of >> > > > just encrypting say forms and links or something? >> > > > >> > > >> > > You can override CryptoMapper#mapHandler() and call super.mapHandler() >> > only >> > > when the IRequestHandler is not an instance of >> IPageClassRequestHandler >> > or >> > > only when it is ListenerInterfaceRequestHandler. >> > > >> > > >> > > > >> > > > Anyone got a solution that works for them in production? >> > > > >> > > > many thanks >> > > > >> > > >> > >> > >