Hi,

does anyone else have an ideas whats I could do here. Is there anyone out
there who's successfully got the CSRF protection up and running in
production?

On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com>
wrote:

> Thanks Martin,
>
> so I've used this:
>
> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new
> KeyInSessionSunJceCryptFactory()));
>
>
> public class PostUrlCryptMapper extends CryptoMapper {
>
>     /**
>
>      * @param wrappedMapper
>
>      * @param cryptFactory
>
>      */
>
> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class);
>
>     public PostUrlCryptMapper(IRequestMapper wrappedMapper,
>
>                               final KeyInSessionSunJceCryptFactory
> cryptFactory) {
>
>         super(wrappedMapper, new IProvider<ICrypt>() {
>
>             @Override
>
>             public ICrypt get() {
>
>                 return cryptFactory.newCrypt();
>
>             }
>
>         });
>
>     }
>
>
>     public Url mapHandler(final IRequestHandler requestHandler)
>
>     {
>
>         if (isFormListenerInterfaceRequestHandler(requestHandler)) {
>
>             return super.mapHandler(requestHandler);
>
>         } else {
>
>             return getDelegateMapper().mapHandler(requestHandler);
>
>         }
>
>     }
>
>
>     public IRequestHandler mapRequest(final Request request)
>
>     {
>
>         final IRequestHandler requestHandler = getDelegateMapper().
> mapRequest(request);
>
>         if (requestHandler == null) {
>
>             return super.mapRequest(request);
>
>         }
>
>         return requestHandler;
>
>     }
>
>
>     /**
>
>      * Returns true, whether the attached component to
> ListenerInterfaceRequestHandler is in form container.
>
>      * @param requestHandler
>
>      * @return
>
>      */
>
>     private boolean isFormListenerInterfaceRequestHandler(final
> IRequestHandler requestHandler) {
>
>         if (requestHandler instanceof ListenerInterfaceRequestHandler) {
>
>             ListenerInterfaceRequestHandler
> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler)
> requestHandler;
>
>             IRequestableComponent c = listenerInterfaceRequestHandler
> .getComponent();
>
>         if (c instanceof Form) {
>
>         log.info("Form found!");
>
>         return true;
>
>         }
>
>         }
>
> //        else  if (requestHandler instanceof
> BookmarkableListenerInterfaceRequestHandler) {
>
> //        BookmarkableListenerInterfaceRequestHandler  handler = (
> BookmarkableListenerInterfaceRequestHandler) requestHandler;
>
> //        IRequestableComponent c = handler.getComponent();
>
> //        if (c instanceof Form) {
>
> //        log.info("Form found!");
>
> //        return true;
>
> //        }
>
> //        }
>
>
>
>
>
>
>         return false;
>
>     }
>
> }
>
>
> However what I am finding is that any form on a stateless/bookmarkable
> page are not being encrypted. I tried to work around this with the section
> of code thats commented out (BookmarkableListenerInterfaceRequestHandler)
> . This then encrypts the form action fine, but then I get 2 bits of odd
> behaviour:
>
>
> - On pages that are bookmarkable, if there is a constructor that has
> PageParameters, the page is just recreated and the submit is ignored (when
> pressing submit).If I remove the PageParameter constructor then it works
> fine.
>
> - On stateless pages , again when submitting the form it just recreates
> the page
>
>
> public class SomeLoginPage extends WebPage {
>
>
> public SomeLoginPage() {
>
> setStatelessHint(true);
>
> add(new FeedbackPanel("feedback"));
>
> add(new SignInForm("signInForm").setOutputMarkupId(false));
>
>
> }
>
>
> public final class SignInForm extends StatelessForm<ValueMap> {
>
>
> public SignInForm(final String id) {
>
> super(id, new CompoundPropertyModel<ValueMap>(new ValueMap()));
>
>
> add(new TextField<String>("username").setOutputMarkupId(false));
>
> add(new PasswordTextField("password").setOutputMarkupId(false));
>
> }
>
>
> /**
>
> *
>
> * @see org.apache.wicket.markup.html.form.Form#onSubmit()
>
> */
>
>
> public void onSubmit() {
>
> ValueMap values = getModelObject();
>
> String username = values.getString("username");
>
> String password = values.getString("password");
>
>
> if (signIn(username, password)) {
>
> ((HubSession) Session.get()).setAdminAthenticated(true);
>
> ContextUtil.get().setUser(null);
>
>
> setResponsePage(CompanyAdminPage.class);
>
>
> } else {
>
> // Try the component based localizer first. If not found try the
>
> // application localizer. Else use the default
>
> error(getLocalizer().getString("exception.login", this, "Illegal username
> password combo"));
>
> }
>
> }
>
>
> private boolean signIn(String username, String password) {
>
> // TODO authentication
>
> return false;
>
> }
>
>
> }
>
>
> }
>
>
>
> Any ideas?
>
>
>
> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org>
> wrote:
>
>> org.apache.wicket.core.request.handler.ListenerInterfaceRequ
>> estHandler#getComponent()
>> instanceOf Form
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com>
>> wrote:
>>
>> > Thanks Martin,
>> >
>> > how can I tell for example if the IPageClassRequestHandler or
>> > ListenerInterfaceRequestHandler is for a form?
>> >
>> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I don't use any of these so I have no much experience in production
>> with
>> > > them!
>> > >
>> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com
>> >
>> > > wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > I've been trying to use CsrfPreventionRequestCycleListener in
>> > > production.
>> > > > However we are seeing in the logs that about 30 times a day we get
>> the
>> > > > request aborted because the clients browsers are not sending the
>> > referrer
>> > > > header sometimes. Doing some research it seems we cannot rely on the
>> > > > clients browser to send the referrer and it could be somewhat buggy
>> in
>> > > > older browsers.
>> > > >
>> > > > Does anyone else experience this trouble?
>> > > >
>> > > > Are there any alternatives?
>> > > >
>> > > > I did try:
>> > > >
>> > > > getSecuritySettings().setCryptFactory(new
>> > KeyInSessionSunJceCryptFactory
>> > > > ());
>> > > >
>> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap
>> perAsCompound
>> > (),
>> > > > this));
>> > > >
>> > > > However this encrypts everything (resources, urls, etc). Is there a
>> way
>> > > of
>> > > > just encrypting say forms and links or something?
>> > > >
>> > >
>> > > You can override CryptoMapper#mapHandler() and call super.mapHandler()
>> > only
>> > > when the IRequestHandler is not an instance of
>> IPageClassRequestHandler
>> > or
>> > > only when it is ListenerInterfaceRequestHandler.
>> > >
>> > >
>> > > >
>> > > > Anyone got a solution that works for them in production?
>> > > >
>> > > > many thanks
>> > > >
>> > >
>> >
>>
>
>

Reply via email to