Encrypt selected form data before submitting the request to Server

[James Selvakumar <ja...@mcruncher.com>]

Hi all,

I have this requirement where some of the data entered by the user are to
be encrypted in the client side before the request is submitted to the
Wicket server even though the communication is over HTTPS.

I am thinking of having some JavaScript code in the client which shall
intercept the form submission, request the Server for a randomly generated
key and encrypt the form data using the key received and then submit the
form again.

Any idea how to achieve this in Wicket?

-- 
Thanks & regards
James

Re: Encrypt selected form data before submitting the request to Server

[Martin Grigorov <mg...@apache.org>]

Hi Rob,

On Mon, Jan 16, 2017 at 8:46 AM, Rob Audenaerde <ro...@gmail.com>
wrote:

> Ah you wrote about the synchronous ajax at the same time as my message :)
>

I should have explained in my first answer!
The thing is that any asynchronous way to get the key will fail due to
timings issues.


>
> (and sorry for the typo in your name, Martin!)
>

No problem!
I have made much bigger mistakes with the help of spell corrections /
auto-suggest :-)


>
>
> On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerde <ro...@gmail.com>
> wrote:
>
> > @Marin I thought synchronous Ajax is actively discouraged now? Or is it
> > supported through webworkers now? (see: https://xhr.spec.whatwg.org/#
> > the-open()-method )
> >
> > I would just generate a random secret the moment the form is rendered.
> > Then, in javascript, you can use your favorite symmetric block cipher to
> > replace the values/encode them in json (for example in a hidden field.
> > Server side you do the reverse
> >
> > -Rob
> >
> > On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar <ja...@mcruncher.com>
> > wrote:
> >
> >> Hi Martin,
> >>
> >> Thanks a lot for your response.
> >> Can I add this behavior directly to the form or should this be added to
> a
> >> form component?
> >> Will this work on Wicket 6.x?
> >>
> >> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
> >> wrote:
> >>
> >> > Hi,
> >> >
> >> > The easiest way I see is to use onBeforeSend() callback listener on
> the
> >> > Ajax submit behavior of the form.
> >> > There you can do a **synchronous** Ajax call to get your key and then
> >> > modify (i.e. encrypt) the data to be sent.
> >> >
> >> > Martin Grigorov
> >> > Wicket Training and Consulting
> >> > https://twitter.com/mtgrigorov
> >> >
> >> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <
> james@mcruncher.com>
> >> > wrote:
> >> >
> >> > > Hi all,
> >> > >
> >> > > I have this requirement where some of the data entered by the user
> >> are to
> >> > > be encrypted in the client side before the request is submitted to
> the
> >> > > Wicket server even though the communication is over HTTPS.
> >> > >
> >> > > I am thinking of having some JavaScript code in the client which
> shall
> >> > > intercept the form submission, request the Server for a randomly
> >> > generated
> >> > > key and encrypt the form data using the key received and then submit
> >> the
> >> > > form again.
> >> > >
> >> > > Any idea how to achieve this in Wicket?
> >> > >
> >> > > --
> >> > > Thanks & regards
> >> > > James
> >> > >
> >> >
> >>
> >>
> >>
> >> --
> >> Thanks & regards
> >> James Selvakumar
> >>
> >
> >
>

Re: Encrypt selected form data before submitting the request to Server

[James Selvakumar <ja...@mcruncher.com>]

Hi Rob,

Thanks for taking time to reply. And many thanks for the detailed example.
Yes, having the secret rendered makes this approach questionable while
using encryption.
But what you've shared will be sufficient if one were to use other
techniques like hashing etc.

On Mon, Jan 16, 2017 at 4:18 PM, Rob Audenaerde <ro...@gmail.com>
wrote:

> >
> > Thanks Martin.
> > Hi Rob, your approach looks interesting.
> > Can you please elaborate on that?
> >
>
> Yes. Although I don't really see the point. The secret that is passed on
> will be readable by an attacker if the attacker could otherwise access the
> fields in the form, effectively rendering this 'security by obscuriry'. The
> only way around this is to pass the secret by other means to the client and
> have them provide it in the form, or use some other type of PKI (which is
> what HTTPS is supposed to do).
>
> -
>
> I would create a Form with a hidden field and an extra attrribute, the
> secret:
>
> Form<T> secretForm = new Form<T> ( ) {  ... };
>
> secretForm.setOutputMarkupId(true);
> IModel<String> encodedResult = new Model<>();
> secretForm.add(AttributeModifier.append("secret",
> Model.of("SuperDuperSecret"));
> secretForm.add(new HiddenField("secret", encodedResult));
> secretForm.add(AjaxButton asb= new AjaxButton("submit")
> {
> @Override
> protected void updateAjaxAttributes( AjaxRequestAttributes attributes )
> {
> super.updateAjaxAttributes( attributes );
> attributes.getAjaxCallListeners().add( new AjaxCallListener()
> {
> @Override
> public CharSequence getBeforeHandler( Component component )
> {
> //I think you should do the encoding here, something with JSON, JQuery,
> return "encryptFormToHiddenField( " + secretForm.getMarkupId() + " ) " ;
> }
> } );
> }
> }; );
>
>
> In the onSubmit() of the form you can access the contents of the
> encodedResult, use the ''SuperDuperSecret" to decode it.
>
> Now that I'm writing it, I think you also want to prevent the other values
> from being sent.. Maybe you could empy the values using JavaScript?
>
>
>
> -Rob
>



-- 
Thanks & regards
James Selvakumar

Re: Encrypt selected form data before submitting the request to Server

[Rob Audenaerde <ro...@gmail.com>]

>
> Thanks Martin.
> Hi Rob, your approach looks interesting.
> Can you please elaborate on that?
>

Yes. Although I don't really see the point. The secret that is passed on
will be readable by an attacker if the attacker could otherwise access the
fields in the form, effectively rendering this 'security by obscuriry'. The
only way around this is to pass the secret by other means to the client and
have them provide it in the form, or use some other type of PKI (which is
what HTTPS is supposed to do).

-

I would create a Form with a hidden field and an extra attrribute, the
secret:

Form<T> secretForm = new Form<T> ( ) {  ... };

secretForm.setOutputMarkupId(true);
IModel<String> encodedResult = new Model<>();
secretForm.add(AttributeModifier.append("secret",
Model.of("SuperDuperSecret"));
secretForm.add(new HiddenField("secret", encodedResult));
secretForm.add(AjaxButton asb= new AjaxButton("submit")
{
@Override
protected void updateAjaxAttributes( AjaxRequestAttributes attributes )
{
super.updateAjaxAttributes( attributes );
attributes.getAjaxCallListeners().add( new AjaxCallListener()
{
@Override
public CharSequence getBeforeHandler( Component component )
{
//I think you should do the encoding here, something with JSON, JQuery,
return "encryptFormToHiddenField( " + secretForm.getMarkupId() + " ) " ;
}
} );
}
}; );


In the onSubmit() of the form you can access the contents of the
encodedResult, use the ''SuperDuperSecret" to decode it.

Now that I'm writing it, I think you also want to prevent the other values
from being sent.. Maybe you could empy the values using JavaScript?



-Rob

Re: Encrypt selected form data before submitting the request to Server

[James Selvakumar <ja...@mcruncher.com>]

Thanks Martin.
Hi Rob, your approach looks interesting.
Can you please elaborate on that?

On Mon, Jan 16, 2017 at 3:46 PM, Rob Audenaerde <ro...@gmail.com>
wrote:

> Ah you wrote about the synchronous ajax at the same time as my message :)
>
> (and sorry for the typo in your name, Martin!)
>
>
> On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerde <ro...@gmail.com>
> wrote:
>
> > @Marin I thought synchronous Ajax is actively discouraged now? Or is it
> > supported through webworkers now? (see: https://xhr.spec.whatwg.org/#
> > the-open()-method )
> >
> > I would just generate a random secret the moment the form is rendered.
> > Then, in javascript, you can use your favorite symmetric block cipher to
> > replace the values/encode them in json (for example in a hidden field.
> > Server side you do the reverse
> >
> > -Rob
> >
> > On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar <ja...@mcruncher.com>
> > wrote:
> >
> >> Hi Martin,
> >>
> >> Thanks a lot for your response.
> >> Can I add this behavior directly to the form or should this be added to
> a
> >> form component?
> >> Will this work on Wicket 6.x?
> >>
> >> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
> >> wrote:
> >>
> >> > Hi,
> >> >
> >> > The easiest way I see is to use onBeforeSend() callback listener on
> the
> >> > Ajax submit behavior of the form.
> >> > There you can do a **synchronous** Ajax call to get your key and then
> >> > modify (i.e. encrypt) the data to be sent.
> >> >
> >> > Martin Grigorov
> >> > Wicket Training and Consulting
> >> > https://twitter.com/mtgrigorov
> >> >
> >> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <
> james@mcruncher.com>
> >> > wrote:
> >> >
> >> > > Hi all,
> >> > >
> >> > > I have this requirement where some of the data entered by the user
> >> are to
> >> > > be encrypted in the client side before the request is submitted to
> the
> >> > > Wicket server even though the communication is over HTTPS.
> >> > >
> >> > > I am thinking of having some JavaScript code in the client which
> shall
> >> > > intercept the form submission, request the Server for a randomly
> >> > generated
> >> > > key and encrypt the form data using the key received and then submit
> >> the
> >> > > form again.
> >> > >
> >> > > Any idea how to achieve this in Wicket?
> >> > >
> >> > > --
> >> > > Thanks & regards
> >> > > James
> >> > >
> >> >
> >>
> >>
> >>
> >> --
> >> Thanks & regards
> >> James Selvakumar
> >>
> >
> >
>



-- 
Thanks & regards
James Selvakumar

Re: Encrypt selected form data before submitting the request to Server

[Rob Audenaerde <ro...@gmail.com>]

Ah you wrote about the synchronous ajax at the same time as my message :)

(and sorry for the typo in your name, Martin!)


On Mon, Jan 16, 2017 at 8:45 AM, Rob Audenaerde <ro...@gmail.com>
wrote:

> @Marin I thought synchronous Ajax is actively discouraged now? Or is it
> supported through webworkers now? (see: https://xhr.spec.whatwg.org/#
> the-open()-method )
>
> I would just generate a random secret the moment the form is rendered.
> Then, in javascript, you can use your favorite symmetric block cipher to
> replace the values/encode them in json (for example in a hidden field.
> Server side you do the reverse
>
> -Rob
>
> On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar <ja...@mcruncher.com>
> wrote:
>
>> Hi Martin,
>>
>> Thanks a lot for your response.
>> Can I add this behavior directly to the form or should this be added to a
>> form component?
>> Will this work on Wicket 6.x?
>>
>> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
>> wrote:
>>
>> > Hi,
>> >
>> > The easiest way I see is to use onBeforeSend() callback listener on the
>> > Ajax submit behavior of the form.
>> > There you can do a **synchronous** Ajax call to get your key and then
>> > modify (i.e. encrypt) the data to be sent.
>> >
>> > Martin Grigorov
>> > Wicket Training and Consulting
>> > https://twitter.com/mtgrigorov
>> >
>> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <ja...@mcruncher.com>
>> > wrote:
>> >
>> > > Hi all,
>> > >
>> > > I have this requirement where some of the data entered by the user
>> are to
>> > > be encrypted in the client side before the request is submitted to the
>> > > Wicket server even though the communication is over HTTPS.
>> > >
>> > > I am thinking of having some JavaScript code in the client which shall
>> > > intercept the form submission, request the Server for a randomly
>> > generated
>> > > key and encrypt the form data using the key received and then submit
>> the
>> > > form again.
>> > >
>> > > Any idea how to achieve this in Wicket?
>> > >
>> > > --
>> > > Thanks & regards
>> > > James
>> > >
>> >
>>
>>
>>
>> --
>> Thanks & regards
>> James Selvakumar
>>
>
>

Re: Encrypt selected form data before submitting the request to Server

[Rob Audenaerde <ro...@gmail.com>]

@Marin I thought synchronous Ajax is actively discouraged now? Or is it
supported through webworkers now? (see:
https://xhr.spec.whatwg.org/#the-open()-method )

I would just generate a random secret the moment the form is rendered.
Then, in javascript, you can use your favorite symmetric block cipher to
replace the values/encode them in json (for example in a hidden field.
Server side you do the reverse

-Rob

On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar <ja...@mcruncher.com>
wrote:

> Hi Martin,
>
> Thanks a lot for your response.
> Can I add this behavior directly to the form or should this be added to a
> form component?
> Will this work on Wicket 6.x?
>
> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > The easiest way I see is to use onBeforeSend() callback listener on the
> > Ajax submit behavior of the form.
> > There you can do a **synchronous** Ajax call to get your key and then
> > modify (i.e. encrypt) the data to be sent.
> >
> > Martin Grigorov
> > Wicket Training and Consulting
> > https://twitter.com/mtgrigorov
> >
> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <ja...@mcruncher.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I have this requirement where some of the data entered by the user are
> to
> > > be encrypted in the client side before the request is submitted to the
> > > Wicket server even though the communication is over HTTPS.
> > >
> > > I am thinking of having some JavaScript code in the client which shall
> > > intercept the form submission, request the Server for a randomly
> > generated
> > > key and encrypt the form data using the key received and then submit
> the
> > > form again.
> > >
> > > Any idea how to achieve this in Wicket?
> > >
> > > --
> > > Thanks & regards
> > > James
> > >
> >
>
>
>
> --
> Thanks & regards
> James Selvakumar
>

Re: Encrypt selected form data before submitting the request to Server

[Martin Grigorov <mg...@apache.org>]

Hi,

I'd add it to the AjaxButton that submits the form.
Yes, it should work with 6.x.

I have never used a *synchronous* Ajax call in my apps. This is something
that is highly discurraged by everyone (specifications, books, articles,
etc.).
A synchronous call will make your browser unusable during the call!
But this is the only way I see to get your key during the form submit
processing.

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Jan 16, 2017 at 8:36 AM, James Selvakumar <ja...@mcruncher.com>
wrote:

> Hi Martin,
>
> Thanks a lot for your response.
> Can I add this behavior directly to the form or should this be added to a
> form component?
> Will this work on Wicket 6.x?
>
> On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
> wrote:
>
> > Hi,
> >
> > The easiest way I see is to use onBeforeSend() callback listener on the
> > Ajax submit behavior of the form.
> > There you can do a **synchronous** Ajax call to get your key and then
> > modify (i.e. encrypt) the data to be sent.
> >
> > Martin Grigorov
> > Wicket Training and Consulting
> > https://twitter.com/mtgrigorov
> >
> > On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <ja...@mcruncher.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I have this requirement where some of the data entered by the user are
> to
> > > be encrypted in the client side before the request is submitted to the
> > > Wicket server even though the communication is over HTTPS.
> > >
> > > I am thinking of having some JavaScript code in the client which shall
> > > intercept the form submission, request the Server for a randomly
> > generated
> > > key and encrypt the form data using the key received and then submit
> the
> > > form again.
> > >
> > > Any idea how to achieve this in Wicket?
> > >
> > > --
> > > Thanks & regards
> > > James
> > >
> >
>
>
>
> --
> Thanks & regards
> James Selvakumar
>

Re: Encrypt selected form data before submitting the request to Server

[James Selvakumar <ja...@mcruncher.com>]

Hi Martin,

Thanks a lot for your response.
Can I add this behavior directly to the form or should this be added to a
form component?
Will this work on Wicket 6.x?

On Mon, Jan 16, 2017 at 3:29 PM, Martin Grigorov <mg...@apache.org>
wrote:

> Hi,
>
> The easiest way I see is to use onBeforeSend() callback listener on the
> Ajax submit behavior of the form.
> There you can do a **synchronous** Ajax call to get your key and then
> modify (i.e. encrypt) the data to be sent.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <ja...@mcruncher.com>
> wrote:
>
> > Hi all,
> >
> > I have this requirement where some of the data entered by the user are to
> > be encrypted in the client side before the request is submitted to the
> > Wicket server even though the communication is over HTTPS.
> >
> > I am thinking of having some JavaScript code in the client which shall
> > intercept the form submission, request the Server for a randomly
> generated
> > key and encrypt the form data using the key received and then submit the
> > form again.
> >
> > Any idea how to achieve this in Wicket?
> >
> > --
> > Thanks & regards
> > James
> >
>



-- 
Thanks & regards
James Selvakumar

Re: Encrypt selected form data before submitting the request to Server

[Martin Grigorov <mg...@apache.org>]

Hi,

The easiest way I see is to use onBeforeSend() callback listener on the
Ajax submit behavior of the form.
There you can do a **synchronous** Ajax call to get your key and then
modify (i.e. encrypt) the data to be sent.

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Jan 16, 2017 at 8:08 AM, James Selvakumar <ja...@mcruncher.com>
wrote:

> Hi all,
>
> I have this requirement where some of the data entered by the user are to
> be encrypted in the client side before the request is submitted to the
> Wicket server even though the communication is over HTTPS.
>
> I am thinking of having some JavaScript code in the client which shall
> intercept the form submission, request the Server for a randomly generated
> key and encrypt the form data using the key received and then submit the
> form again.
>
> Any idea how to achieve this in Wicket?
>
> --
> Thanks & regards
> James
>