It works for us, but we are not using *CryptMapper's ... On Tue, Sep 19, 2017 at 7:49 PM, Wayne W <waynemailingli...@gmail.com> wrote: > Hi, > > does anyone else have an ideas whats I could do here. Is there anyone out > there who's successfully got the CSRF protection up and running in > production? > > On Fri, Sep 8, 2017 at 10:31 AM, Wayne W <waynemailingli...@gmail.com> > wrote: > >> Thanks Martin, >> >> so I've used this: >> >> setRootRequestMapper(new PostUrlCryptMapper(getRootRequestMapper(), new >> KeyInSessionSunJceCryptFactory())); >> >> >> public class PostUrlCryptMapper extends CryptoMapper { >> >> /** >> >> * @param wrappedMapper >> >> * @param cryptFactory >> >> */ >> >> private static Log log = LogFactory.getLog(PostUrlCryptMapper.class); >> >> public PostUrlCryptMapper(IRequestMapper wrappedMapper, >> >> final KeyInSessionSunJceCryptFactory >> cryptFactory) { >> >> super(wrappedMapper, new IProvider<ICrypt>() { >> >> @Override >> >> public ICrypt get() { >> >> return cryptFactory.newCrypt(); >> >> } >> >> }); >> >> } >> >> >> public Url mapHandler(final IRequestHandler requestHandler) >> >> { >> >> if (isFormListenerInterfaceRequestHandler(requestHandler)) { >> >> return super.mapHandler(requestHandler); >> >> } else { >> >> return getDelegateMapper().mapHandler(requestHandler); >> >> } >> >> } >> >> >> public IRequestHandler mapRequest(final Request request) >> >> { >> >> final IRequestHandler requestHandler = getDelegateMapper(). >> mapRequest(request); >> >> if (requestHandler == null) { >> >> return super.mapRequest(request); >> >> } >> >> return requestHandler; >> >> } >> >> >> /** >> >> * Returns true, whether the attached component to >> ListenerInterfaceRequestHandler is in form container. >> >> * @param requestHandler >> >> * @return >> >> */ >> >> private boolean isFormListenerInterfaceRequestHandler(final >> IRequestHandler requestHandler) { >> >> if (requestHandler instanceof ListenerInterfaceRequestHandler) { >> >> ListenerInterfaceRequestHandler >> listenerInterfaceRequestHandler = (ListenerInterfaceRequestHandler) >> requestHandler; >> >> IRequestableComponent c = listenerInterfaceRequestHandler >> .getComponent(); >> >> if (c instanceof Form) { >> >> log.info("Form found!"); >> >> return true; >> >> } >> >> } >> >> // else if (requestHandler instanceof >> BookmarkableListenerInterfaceRequestHandler) { >> >> // BookmarkableListenerInterfaceRequestHandler handler = ( >> BookmarkableListenerInterfaceRequestHandler) requestHandler; >> >> // IRequestableComponent c = handler.getComponent(); >> >> // if (c instanceof Form) { >> >> // log.info("Form found!"); >> >> // return true; >> >> // } >> >> // } >> >> >> >> >> >> >> return false; >> >> } >> >> } >> >> >> However what I am finding is that any form on a stateless/bookmarkable >> page are not being encrypted. I tried to work around this with the section >> of code thats commented out (BookmarkableListenerInterfaceRequestHandler) >> . This then encrypts the form action fine, but then I get 2 bits of odd >> behaviour: >> >> >> - On pages that are bookmarkable, if there is a constructor that has >> PageParameters, the page is just recreated and the submit is ignored (when >> pressing submit).If I remove the PageParameter constructor then it works >> fine. >> >> - On stateless pages , again when submitting the form it just recreates >> the page >> >> >> public class SomeLoginPage extends WebPage { >> >> >> public SomeLoginPage() { >> >> setStatelessHint(true); >> >> add(new FeedbackPanel("feedback")); >> >> add(new SignInForm("signInForm").setOutputMarkupId(false)); >> >> >> } >> >> >> public final class SignInForm extends StatelessForm<ValueMap> { >> >> >> public SignInForm(final String id) { >> >> super(id, new CompoundPropertyModel<ValueMap>(new ValueMap())); >> >> >> add(new TextField<String>("username").setOutputMarkupId(false)); >> >> add(new PasswordTextField("password").setOutputMarkupId(false)); >> >> } >> >> >> /** >> >> * >> >> * @see org.apache.wicket.markup.html.form.Form#onSubmit() >> >> */ >> >> >> public void onSubmit() { >> >> ValueMap values = getModelObject(); >> >> String username = values.getString("username"); >> >> String password = values.getString("password"); >> >> >> if (signIn(username, password)) { >> >> ((HubSession) Session.get()).setAdminAthenticated(true); >> >> ContextUtil.get().setUser(null); >> >> >> setResponsePage(CompanyAdminPage.class); >> >> >> } else { >> >> // Try the component based localizer first. If not found try the >> >> // application localizer. Else use the default >> >> error(getLocalizer().getString("exception.login", this, "Illegal username >> password combo")); >> >> } >> >> } >> >> >> private boolean signIn(String username, String password) { >> >> // TODO authentication >> >> return false; >> >> } >> >> >> } >> >> >> } >> >> >> >> Any ideas? >> >> >> >> On Thu, Sep 7, 2017 at 11:33 AM, Martin Grigorov <mgrigo...@apache.org> >> wrote: >> >>> org.apache.wicket.core.request.handler.ListenerInterfaceRequ >>> estHandler#getComponent() >>> instanceOf Form >>> >>> Martin Grigorov >>> Wicket Training and Consulting >>> https://twitter.com/mtgrigorov >>> >>> On Thu, Sep 7, 2017 at 11:04 AM, Wayne W <waynemailingli...@gmail.com> >>> wrote: >>> >>> > Thanks Martin, >>> > >>> > how can I tell for example if the IPageClassRequestHandler or >>> > ListenerInterfaceRequestHandler is for a form? >>> > >>> > On Wed, Sep 6, 2017 at 12:39 PM, Martin Grigorov <mgrigo...@apache.org> >>> > wrote: >>> > >>> > > Hi, >>> > > >>> > > I don't use any of these so I have no much experience in production >>> with >>> > > them! >>> > > >>> > > On Wed, Sep 6, 2017 at 12:07 PM, Wayne W <waynemailingli...@gmail.com >>> > >>> > > wrote: >>> > > >>> > > > Hi, >>> > > > >>> > > > I've been trying to use CsrfPreventionRequestCycleListener in >>> > > production. >>> > > > However we are seeing in the logs that about 30 times a day we get >>> the >>> > > > request aborted because the clients browsers are not sending the >>> > referrer >>> > > > header sometimes. Doing some research it seems we cannot rely on the >>> > > > clients browser to send the referrer and it could be somewhat buggy >>> in >>> > > > older browsers. >>> > > > >>> > > > Does anyone else experience this trouble? >>> > > > >>> > > > Are there any alternatives? >>> > > > >>> > > > I did try: >>> > > > >>> > > > getSecuritySettings().setCryptFactory(new >>> > KeyInSessionSunJceCryptFactory >>> > > > ()); >>> > > > >>> > > > setRootRequestMapper(new CryptoMapper(getRootRequestMap >>> perAsCompound >>> > (), >>> > > > this)); >>> > > > >>> > > > However this encrypts everything (resources, urls, etc). Is there a >>> way >>> > > of >>> > > > just encrypting say forms and links or something? >>> > > > >>> > > >>> > > You can override CryptoMapper#mapHandler() and call super.mapHandler() >>> > only >>> > > when the IRequestHandler is not an instance of >>> IPageClassRequestHandler >>> > or >>> > > only when it is ListenerInterfaceRequestHandler. >>> > > >>> > > >>> > > > >>> > > > Anyone got a solution that works for them in production? >>> > > > >>> > > > many thanks >>> > > > >>> > > >>> > >>> >> >>
-- WBR Maxim aka solomax --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org