I reviewed some docs for CSRF protection / mitigation
https://nightlies.apache.org/wicket/guide/9.x/single.html#_csrf_protection
https://nightlies.apache.org/wicket/apidocs/9.x/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.html
URL encryption may cause some issues and hence, I'd defer that. Then
that accordingly CsrfPreventionRequestCycleListener:
Prevents CSRF attacks on Wicket components by checking the Origin and
Referer HTTP headers for cross domain requests. By default only checks
requests that try to perform an action on a component, such as a form
submit, or link click.
It seemed adequate for the purpose. However, if instead that I'd like to
implement a token based approach
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
would such an approach implement the token based strategy? :
public class MyForm extends StatelessForm<Void> {
HiddenField<String> hiddenField;
public MyForm(String id) {
super(id);
String csrftoken = getCsrfToken();
hiddenField = new HiddenField<>("csrf", Model.of(csrftoken));
add(hiddenField);
}
@Override
protected void onSubmit() {
String csrftoken = getCsrfToken();
if ( !
hiddenField.getDefaultModelObjectAsString().equals(csrftoken)) {
error("invalid CSRF token, update denied");
return;
}
// ...
}
private String getCsrfToken() {
try {
MessageDigest md5 = MessageDigest.getInstance("MD5");
md5.update(getSession().getId().getBytes()); //generate
CSRF token from session ID
return Base64.getEncoder().encodeToString(md5.digest());
} catch (NoSuchAlgorithmException e) {
return
Base64.getEncoder().encodeToString(getSession().getId().getBytes());
}
}
}
Thanks much in advance.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
