You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Andreas Kappler <an...@jato-consulting.de> on 2013/09/18 10:43:21 UTC
CSRF protection and mounting pages
Hi!
I am currently looking into making our Wicket applications CSRF safe.
From my understanding the CryptoMapper is the way to go, and I was able
to set it up working successfully.
There are however several mounted pages in the applications (with
WebApplication.mountPage), where the URLs should not be encrypted. This
also works fine, the CryptoMapper does not encrypt the URLs to these
pages, but that also removes the CSRF protection. E.g. if one of these
mounted pages contains a form, the URL to post back the form data is
unencrypted and vulnerable to CSRF.
My idea was to not mount pages directly, but instead mount a Page that
redirects to the actual page. That way the page is still reachable with
a static URL, but all consequent requests are properly encrypted.
So instead of:
webApplication.mountPage("login", LoginPage.class);
Something like this:
public class LoginPageRedirect extends WebPage {
protected void onInitialize() {
throw new RestartResponseException(LoginPage.class);
}
}
webApplication.mountPage("login", LoginPageRedirect.class);
I did however not find anything in the wicket API that supports this
concept and now I am wondering if there is a better way to do this, e.g.
with a server side redirect.
I would be grateful for any ideas!
Best Regards,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection and mounting pages
Posted by Andreas Kappler <an...@jato-consulting.de>.
Hi Jesse,
thanks, this looks like a promising solution! However I have two
problems with it:
1) Some ajax requests (not all requests, but e.g. expanding an item in a
TreeTable) result in a ajax redirect to the actual ajax response, which
is then displayed in the browser. I have not investigated this any
further yet.
2) It seems to me that the ListenerInterfaceCryptoMapper allows
unencrypted query strings? This would effectively surpress the CSRF
protection.
Best Regards,
Andreas
Am 18.09.2013 15:14, schrieb Jesse Long:
> Hi Andreas,
>
> Try using this, in addition to normal CryptoMapper.
>
> usage:
>
> protected void init()
> {
> setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), .....));
>
> mountPage(....);
> mountPage(....);
> mountPage(....);
> mountPage(....);
> mountPage(....);
>
> setRootRequestMapper(new
> ListenerInterfaceCryptoMapper(getRootRequestMapper(), ....));
> }
>
>
> Let me know if it works for you?
>
> Cheers,
> Jesse
>
>
> import java.util.List;
> import org.apache.wicket.Application;
> import
> org.apache.wicket.core.request.handler.BookmarkableListenerInterfaceRequestHandler;
> import
> org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler;
> import org.apache.wicket.core.request.mapper.CryptoMapper;
> import org.apache.wicket.request.IRequestHandler;
> import org.apache.wicket.request.IRequestMapper;
> import org.apache.wicket.request.Request;
> import org.apache.wicket.request.Url;
> import org.apache.wicket.util.IProvider;
> import org.apache.wicket.util.crypt.ICrypt;
> import org.apache.wicket.util.string.Strings;
>
> public class ListenerInterfaceCryptoMapper
> extends CryptoMapper
> {
> private final String parameterName;
>
> public ListenerInterfaceCryptoMapperCryptoMapper(String
> parameterName, IRequestMapper wrappedMapper, Application application)
> {
> super(wrappedMapper, application);
> this.parameterName = parameterName;
> }
>
> public ListenerInterfaceCryptoMapper(String parameterName,
> IRequestMapper wrappedMapper, IProvider<ICrypt> cryptProvider)
> {
> super(wrappedMapper, cryptProvider);
> this.parameterName = parameterName;
> }
>
> @Override
> protected Url decryptUrl(Request request, Url encryptedUrl)
> {
> List<Url.QueryParameter> queryParameters =
> encryptedUrl.getQueryParameters();
>
> if (queryParameters.size() == 1){
> Url.QueryParameter param = queryParameters.get(0);
>
> if (param.getName().equals(parameterName) &&
> Strings.isEmpty(param.getValue()) == false){
> String decodedQueryString =
> getCrypt().decryptUrlSafe(param.getValue());
>
> return new Url(encryptedUrl.getSegments(),
> Url.parse(decodedQueryString,
> encryptedUrl.getCharset()).getQueryParameters(),
> encryptedUrl.getCharset());
> }
> }
>
> return encryptedUrl;
> }
>
> @Override
> protected Url encryptUrl(Url url)
> {
> // no encrypting of segments
> return url;
> }
>
> @Override
> public Url mapHandler(IRequestHandler requestHandler)
> {
> Url url = super.mapHandler(requestHandler);
>
> if (url.getQueryParameters().isEmpty()){
> return url;
> }
>
> if ((requestHandler instanceof
> ListenerInterfaceRequestHandler) || (requestHandler instanceof
> BookmarkableListenerInterfaceRequestHandler)){
> Url encryptedUrl = new Url(url.getSegments(),
> url.getCharset());
>
> encryptedUrl.addQueryParameter(parameterName,
> getCrypt().encryptUrlSafe(url.getQueryString()));
>
> return encryptedUrl;
> }else{
> return url;
> }
> }
> }
>
>
> On 18/09/2013 14:48, Andreas Kappler wrote:
>> Thanks for pointing out that ticket. So as I see it, there is
>> currently no easy way to secure pages from CSRF attacks if they are
>> mounted. To be honest I find it a bit surprising that no one
>> contributed a solution for this common problem.
>>
>> I will probably go for the solution with redirects instead of
>> mounting pages, it seems to me to be the safest way.
>>
>> Am 18.09.2013 14:08, schrieb Martin Grigorov:
>>> Check https://issues.apache.org/jira/browse/WICKET-5326
>>> It talks about similar things
>>>
>>>
>>> On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
>>> andreas.kappler@jato-consulting.de> wrote:
>>>
>>>> Hi Martin,
>>>>
>>>> thanks for your answer. I tried that and I am not sure if I did
>>>> something
>>>> wrong, but still the URLs generated for posting forms are not
>>>> encrypted.
>>>>
>>>> For example I have a page that contains a form to change the user's
>>>> password and I want the page to be available as /changePassword.
>>>> Now if the
>>>> user submits the form, the form's action points to
>>>> /changePassword?xyz,
>>>> which makes it open to CSRF.
>>>>
>>>> Best Regards,
>>>> Andreas
>>>>
>>>> Am 18.09.2013 13:09, schrieb Martin Grigorov:
>>>>
>>>>> Hi,
>>>>>
>>>>> You can extend CryptoMapper and setup it as root mapper.
>>>>> In your custom CryptoMapper you can override "Url mapHandler(final
>>>>> IRequestHandler requestHandler)". If the passed requestHandler is
>>>>> IPageClassRequestHandler then you can call #getPageClass() on it and
>>>>> decide
>>>>> whether to encrypt the Url or not. For all other IRequestHandlers
>>>>> - always
>>>>> encrypt.
>>>>>
>>>>>
>>>>> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
>>>>> andreas.kappler@jato-**consulting.de
>>>>> <an...@jato-consulting.de>>
>>>>> wrote:
>>>>>
>>>>> Hi!
>>>>>> I am currently looking into making our Wicket applications CSRF
>>>>>> safe.
>>>>>> From
>>>>>> my understanding the CryptoMapper is the way to go, and I was
>>>>>> able to set
>>>>>> it up working successfully.
>>>>>>
>>>>>> There are however several mounted pages in the applications (with
>>>>>> WebApplication.mountPage), where the URLs should not be
>>>>>> encrypted. This
>>>>>> also works fine, the CryptoMapper does not encrypt the URLs to these
>>>>>> pages,
>>>>>> but that also removes the CSRF protection. E.g. if one of these
>>>>>> mounted
>>>>>> pages contains a form, the URL to post back the form data is
>>>>>> unencrypted
>>>>>> and vulnerable to CSRF.
>>>>>>
>>>>>> My idea was to not mount pages directly, but instead mount a Page
>>>>>> that
>>>>>> redirects to the actual page. That way the page is still
>>>>>> reachable with a
>>>>>> static URL, but all consequent requests are properly encrypted.
>>>>>>
>>>>>> So instead of:
>>>>>>
>>>>>> webApplication.mountPage("****login", LoginPage.class);
>>>>>>
>>>>>>
>>>>>> Something like this:
>>>>>>
>>>>>> public class LoginPageRedirect extends WebPage {
>>>>>> protected void onInitialize() {
>>>>>> throw new RestartResponseException(****LoginPage.class);
>>>>>> }
>>>>>> }
>>>>>> webApplication.mountPage("****login", LoginPageRedirect.class);
>>>>>>
>>>>>>
>>>>>> I did however not find anything in the wicket API that supports this
>>>>>> concept and now I am wondering if there is a better way to do
>>>>>> this, e.g.
>>>>>> with a server side redirect.
>>>>>>
>>>>>> I would be grateful for any ideas!
>>>>>>
>>>>>> Best Regards,
>>>>>> Andreas
>>>>>>
>>>>>> ------------------------------****----------------------------**
>>>>>> --**---------
>>>>>> To unsubscribe, e-mail:
>>>>>> users-unsubscribe@wicket.**apa**che.org<http://apache.org>
>>>>>> <us...@wicket.apache.org>
>>>>>>
>>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>> ------------------------------**------------------------------**---------
>>>>
>>>> To unsubscribe, e-mail:
>>>> users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection and mounting pages
Posted by Jesse Long <jp...@unknown.za.net>.
Hi Andreas,
Try using this, in addition to normal CryptoMapper.
usage:
protected void init()
{
setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), .....));
mountPage(....);
mountPage(....);
mountPage(....);
mountPage(....);
mountPage(....);
setRootRequestMapper(new
ListenerInterfaceCryptoMapper(getRootRequestMapper(), ....));
}
Let me know if it works for you?
Cheers,
Jesse
import java.util.List;
import org.apache.wicket.Application;
import
org.apache.wicket.core.request.handler.BookmarkableListenerInterfaceRequestHandler;
import
org.apache.wicket.core.request.handler.ListenerInterfaceRequestHandler;
import org.apache.wicket.core.request.mapper.CryptoMapper;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.IRequestMapper;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Url;
import org.apache.wicket.util.IProvider;
import org.apache.wicket.util.crypt.ICrypt;
import org.apache.wicket.util.string.Strings;
public class ListenerInterfaceCryptoMapper
extends CryptoMapper
{
private final String parameterName;
public ListenerInterfaceCryptoMapperCryptoMapper(String
parameterName, IRequestMapper wrappedMapper, Application application)
{
super(wrappedMapper, application);
this.parameterName = parameterName;
}
public ListenerInterfaceCryptoMapper(String parameterName,
IRequestMapper wrappedMapper, IProvider<ICrypt> cryptProvider)
{
super(wrappedMapper, cryptProvider);
this.parameterName = parameterName;
}
@Override
protected Url decryptUrl(Request request, Url encryptedUrl)
{
List<Url.QueryParameter> queryParameters =
encryptedUrl.getQueryParameters();
if (queryParameters.size() == 1){
Url.QueryParameter param = queryParameters.get(0);
if (param.getName().equals(parameterName) &&
Strings.isEmpty(param.getValue()) == false){
String decodedQueryString =
getCrypt().decryptUrlSafe(param.getValue());
return new Url(encryptedUrl.getSegments(),
Url.parse(decodedQueryString,
encryptedUrl.getCharset()).getQueryParameters(), encryptedUrl.getCharset());
}
}
return encryptedUrl;
}
@Override
protected Url encryptUrl(Url url)
{
// no encrypting of segments
return url;
}
@Override
public Url mapHandler(IRequestHandler requestHandler)
{
Url url = super.mapHandler(requestHandler);
if (url.getQueryParameters().isEmpty()){
return url;
}
if ((requestHandler instanceof ListenerInterfaceRequestHandler)
|| (requestHandler instanceof BookmarkableListenerInterfaceRequestHandler)){
Url encryptedUrl = new Url(url.getSegments(),
url.getCharset());
encryptedUrl.addQueryParameter(parameterName,
getCrypt().encryptUrlSafe(url.getQueryString()));
return encryptedUrl;
}else{
return url;
}
}
}
On 18/09/2013 14:48, Andreas Kappler wrote:
> Thanks for pointing out that ticket. So as I see it, there is
> currently no easy way to secure pages from CSRF attacks if they are
> mounted. To be honest I find it a bit surprising that no one
> contributed a solution for this common problem.
>
> I will probably go for the solution with redirects instead of mounting
> pages, it seems to me to be the safest way.
>
> Am 18.09.2013 14:08, schrieb Martin Grigorov:
>> Check https://issues.apache.org/jira/browse/WICKET-5326
>> It talks about similar things
>>
>>
>> On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
>> andreas.kappler@jato-consulting.de> wrote:
>>
>>> Hi Martin,
>>>
>>> thanks for your answer. I tried that and I am not sure if I did
>>> something
>>> wrong, but still the URLs generated for posting forms are not
>>> encrypted.
>>>
>>> For example I have a page that contains a form to change the user's
>>> password and I want the page to be available as /changePassword. Now
>>> if the
>>> user submits the form, the form's action points to /changePassword?xyz,
>>> which makes it open to CSRF.
>>>
>>> Best Regards,
>>> Andreas
>>>
>>> Am 18.09.2013 13:09, schrieb Martin Grigorov:
>>>
>>>> Hi,
>>>>
>>>> You can extend CryptoMapper and setup it as root mapper.
>>>> In your custom CryptoMapper you can override "Url mapHandler(final
>>>> IRequestHandler requestHandler)". If the passed requestHandler is
>>>> IPageClassRequestHandler then you can call #getPageClass() on it and
>>>> decide
>>>> whether to encrypt the Url or not. For all other IRequestHandlers -
>>>> always
>>>> encrypt.
>>>>
>>>>
>>>> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
>>>> andreas.kappler@jato-**consulting.de
>>>> <an...@jato-consulting.de>>
>>>> wrote:
>>>>
>>>> Hi!
>>>>> I am currently looking into making our Wicket applications CSRF safe.
>>>>> From
>>>>> my understanding the CryptoMapper is the way to go, and I was able
>>>>> to set
>>>>> it up working successfully.
>>>>>
>>>>> There are however several mounted pages in the applications (with
>>>>> WebApplication.mountPage), where the URLs should not be encrypted.
>>>>> This
>>>>> also works fine, the CryptoMapper does not encrypt the URLs to these
>>>>> pages,
>>>>> but that also removes the CSRF protection. E.g. if one of these
>>>>> mounted
>>>>> pages contains a form, the URL to post back the form data is
>>>>> unencrypted
>>>>> and vulnerable to CSRF.
>>>>>
>>>>> My idea was to not mount pages directly, but instead mount a Page
>>>>> that
>>>>> redirects to the actual page. That way the page is still reachable
>>>>> with a
>>>>> static URL, but all consequent requests are properly encrypted.
>>>>>
>>>>> So instead of:
>>>>>
>>>>> webApplication.mountPage("****login", LoginPage.class);
>>>>>
>>>>>
>>>>> Something like this:
>>>>>
>>>>> public class LoginPageRedirect extends WebPage {
>>>>> protected void onInitialize() {
>>>>> throw new RestartResponseException(****LoginPage.class);
>>>>> }
>>>>> }
>>>>> webApplication.mountPage("****login", LoginPageRedirect.class);
>>>>>
>>>>>
>>>>> I did however not find anything in the wicket API that supports this
>>>>> concept and now I am wondering if there is a better way to do
>>>>> this, e.g.
>>>>> with a server side redirect.
>>>>>
>>>>> I would be grateful for any ideas!
>>>>>
>>>>> Best Regards,
>>>>> Andreas
>>>>>
>>>>> ------------------------------****----------------------------**
>>>>> --**---------
>>>>> To unsubscribe, e-mail:
>>>>> users-unsubscribe@wicket.**apa**che.org<http://apache.org>
>>>>> <us...@wicket.apache.org>
>>>>>
>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>
>>>>>
>>>>>
>>> ------------------------------**------------------------------**---------
>>>
>>> To unsubscribe, e-mail:
>>> users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection and mounting pages
Posted by Andreas Kappler <an...@jato-consulting.de>.
Thanks for pointing out that ticket. So as I see it, there is currently
no easy way to secure pages from CSRF attacks if they are mounted. To be
honest I find it a bit surprising that no one contributed a solution for
this common problem.
I will probably go for the solution with redirects instead of mounting
pages, it seems to me to be the safest way.
Am 18.09.2013 14:08, schrieb Martin Grigorov:
> Check https://issues.apache.org/jira/browse/WICKET-5326
> It talks about similar things
>
>
> On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
> andreas.kappler@jato-consulting.de> wrote:
>
>> Hi Martin,
>>
>> thanks for your answer. I tried that and I am not sure if I did something
>> wrong, but still the URLs generated for posting forms are not encrypted.
>>
>> For example I have a page that contains a form to change the user's
>> password and I want the page to be available as /changePassword. Now if the
>> user submits the form, the form's action points to /changePassword?xyz,
>> which makes it open to CSRF.
>>
>> Best Regards,
>> Andreas
>>
>> Am 18.09.2013 13:09, schrieb Martin Grigorov:
>>
>>> Hi,
>>>
>>> You can extend CryptoMapper and setup it as root mapper.
>>> In your custom CryptoMapper you can override "Url mapHandler(final
>>> IRequestHandler requestHandler)". If the passed requestHandler is
>>> IPageClassRequestHandler then you can call #getPageClass() on it and
>>> decide
>>> whether to encrypt the Url or not. For all other IRequestHandlers - always
>>> encrypt.
>>>
>>>
>>> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
>>> andreas.kappler@jato-**consulting.de <an...@jato-consulting.de>>
>>> wrote:
>>>
>>> Hi!
>>>> I am currently looking into making our Wicket applications CSRF safe.
>>>> From
>>>> my understanding the CryptoMapper is the way to go, and I was able to set
>>>> it up working successfully.
>>>>
>>>> There are however several mounted pages in the applications (with
>>>> WebApplication.mountPage), where the URLs should not be encrypted. This
>>>> also works fine, the CryptoMapper does not encrypt the URLs to these
>>>> pages,
>>>> but that also removes the CSRF protection. E.g. if one of these mounted
>>>> pages contains a form, the URL to post back the form data is unencrypted
>>>> and vulnerable to CSRF.
>>>>
>>>> My idea was to not mount pages directly, but instead mount a Page that
>>>> redirects to the actual page. That way the page is still reachable with a
>>>> static URL, but all consequent requests are properly encrypted.
>>>>
>>>> So instead of:
>>>>
>>>> webApplication.mountPage("****login", LoginPage.class);
>>>>
>>>>
>>>> Something like this:
>>>>
>>>> public class LoginPageRedirect extends WebPage {
>>>> protected void onInitialize() {
>>>> throw new RestartResponseException(****LoginPage.class);
>>>> }
>>>> }
>>>> webApplication.mountPage("****login", LoginPageRedirect.class);
>>>>
>>>>
>>>> I did however not find anything in the wicket API that supports this
>>>> concept and now I am wondering if there is a better way to do this, e.g.
>>>> with a server side redirect.
>>>>
>>>> I would be grateful for any ideas!
>>>>
>>>> Best Regards,
>>>> Andreas
>>>>
>>>> ------------------------------****----------------------------**
>>>> --**---------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apa**che.org<http://apache.org>
>>>> <us...@wicket.apache.org>
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection and mounting pages
Posted by Martin Grigorov <mg...@apache.org>.
Check https://issues.apache.org/jira/browse/WICKET-5326
It talks about similar things
On Wed, Sep 18, 2013 at 3:03 PM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:
> Hi Martin,
>
> thanks for your answer. I tried that and I am not sure if I did something
> wrong, but still the URLs generated for posting forms are not encrypted.
>
> For example I have a page that contains a form to change the user's
> password and I want the page to be available as /changePassword. Now if the
> user submits the form, the form's action points to /changePassword?xyz,
> which makes it open to CSRF.
>
> Best Regards,
> Andreas
>
> Am 18.09.2013 13:09, schrieb Martin Grigorov:
>
>> Hi,
>>
>> You can extend CryptoMapper and setup it as root mapper.
>> In your custom CryptoMapper you can override "Url mapHandler(final
>> IRequestHandler requestHandler)". If the passed requestHandler is
>> IPageClassRequestHandler then you can call #getPageClass() on it and
>> decide
>> whether to encrypt the Url or not. For all other IRequestHandlers - always
>> encrypt.
>>
>>
>> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
>> andreas.kappler@jato-**consulting.de <an...@jato-consulting.de>>
>> wrote:
>>
>> Hi!
>>>
>>> I am currently looking into making our Wicket applications CSRF safe.
>>> From
>>> my understanding the CryptoMapper is the way to go, and I was able to set
>>> it up working successfully.
>>>
>>> There are however several mounted pages in the applications (with
>>> WebApplication.mountPage), where the URLs should not be encrypted. This
>>> also works fine, the CryptoMapper does not encrypt the URLs to these
>>> pages,
>>> but that also removes the CSRF protection. E.g. if one of these mounted
>>> pages contains a form, the URL to post back the form data is unencrypted
>>> and vulnerable to CSRF.
>>>
>>> My idea was to not mount pages directly, but instead mount a Page that
>>> redirects to the actual page. That way the page is still reachable with a
>>> static URL, but all consequent requests are properly encrypted.
>>>
>>> So instead of:
>>>
>>> webApplication.mountPage("****login", LoginPage.class);
>>>
>>>
>>> Something like this:
>>>
>>> public class LoginPageRedirect extends WebPage {
>>> protected void onInitialize() {
>>> throw new RestartResponseException(****LoginPage.class);
>>> }
>>> }
>>> webApplication.mountPage("****login", LoginPageRedirect.class);
>>>
>>>
>>> I did however not find anything in the wicket API that supports this
>>> concept and now I am wondering if there is a better way to do this, e.g.
>>> with a server side redirect.
>>>
>>> I would be grateful for any ideas!
>>>
>>> Best Regards,
>>> Andreas
>>>
>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apa**che.org<http://apache.org>
>>> <us...@wicket.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: CSRF protection and mounting pages
Posted by Andreas Kappler <an...@jato-consulting.de>.
Hi Martin,
thanks for your answer. I tried that and I am not sure if I did
something wrong, but still the URLs generated for posting forms are not
encrypted.
For example I have a page that contains a form to change the user's
password and I want the page to be available as /changePassword. Now if
the user submits the form, the form's action points to
/changePassword?xyz, which makes it open to CSRF.
Best Regards,
Andreas
Am 18.09.2013 13:09, schrieb Martin Grigorov:
> Hi,
>
> You can extend CryptoMapper and setup it as root mapper.
> In your custom CryptoMapper you can override "Url mapHandler(final
> IRequestHandler requestHandler)". If the passed requestHandler is
> IPageClassRequestHandler then you can call #getPageClass() on it and decide
> whether to encrypt the Url or not. For all other IRequestHandlers - always
> encrypt.
>
>
> On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
> andreas.kappler@jato-consulting.de> wrote:
>
>> Hi!
>>
>> I am currently looking into making our Wicket applications CSRF safe. From
>> my understanding the CryptoMapper is the way to go, and I was able to set
>> it up working successfully.
>>
>> There are however several mounted pages in the applications (with
>> WebApplication.mountPage), where the URLs should not be encrypted. This
>> also works fine, the CryptoMapper does not encrypt the URLs to these pages,
>> but that also removes the CSRF protection. E.g. if one of these mounted
>> pages contains a form, the URL to post back the form data is unencrypted
>> and vulnerable to CSRF.
>>
>> My idea was to not mount pages directly, but instead mount a Page that
>> redirects to the actual page. That way the page is still reachable with a
>> static URL, but all consequent requests are properly encrypted.
>>
>> So instead of:
>>
>> webApplication.mountPage("**login", LoginPage.class);
>>
>> Something like this:
>>
>> public class LoginPageRedirect extends WebPage {
>> protected void onInitialize() {
>> throw new RestartResponseException(**LoginPage.class);
>> }
>> }
>> webApplication.mountPage("**login", LoginPageRedirect.class);
>>
>> I did however not find anything in the wicket API that supports this
>> concept and now I am wondering if there is a better way to do this, e.g.
>> with a server side redirect.
>>
>> I would be grateful for any ideas!
>>
>> Best Regards,
>> Andreas
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CSRF protection and mounting pages
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
You can extend CryptoMapper and setup it as root mapper.
In your custom CryptoMapper you can override "Url mapHandler(final
IRequestHandler requestHandler)". If the passed requestHandler is
IPageClassRequestHandler then you can call #getPageClass() on it and decide
whether to encrypt the Url or not. For all other IRequestHandlers - always
encrypt.
On Wed, Sep 18, 2013 at 11:43 AM, Andreas Kappler <
andreas.kappler@jato-consulting.de> wrote:
> Hi!
>
> I am currently looking into making our Wicket applications CSRF safe. From
> my understanding the CryptoMapper is the way to go, and I was able to set
> it up working successfully.
>
> There are however several mounted pages in the applications (with
> WebApplication.mountPage), where the URLs should not be encrypted. This
> also works fine, the CryptoMapper does not encrypt the URLs to these pages,
> but that also removes the CSRF protection. E.g. if one of these mounted
> pages contains a form, the URL to post back the form data is unencrypted
> and vulnerable to CSRF.
>
> My idea was to not mount pages directly, but instead mount a Page that
> redirects to the actual page. That way the page is still reachable with a
> static URL, but all consequent requests are properly encrypted.
>
> So instead of:
>
> webApplication.mountPage("**login", LoginPage.class);
>
> Something like this:
>
> public class LoginPageRedirect extends WebPage {
> protected void onInitialize() {
> throw new RestartResponseException(**LoginPage.class);
> }
> }
> webApplication.mountPage("**login", LoginPageRedirect.class);
>
> I did however not find anything in the wicket API that supports this
> concept and now I am wondering if there is a better way to do this, e.g.
> with a server side redirect.
>
> I would be grateful for any ideas!
>
> Best Regards,
> Andreas
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
> For additional commands, e-mail: users-help@wicket.apache.org
>
>