You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Andrea Del Bene <an...@gmail.com> on 2016/01/01 15:48:41 UTC

Re: Wicket CSRF/XSRF protection

Hi,

I think you might need to roll out your own RequestCycleListener to 
check for the XSRF-TOKEN. Or alternatively if you are using wicketstuff 
REST support you could use hook method onBeforeMethodInvoked to check 
the token before REST API is invoked.
See 
https://github.com/wicketstuff/core/tree/master/wicketstuff-restannotations-parent 
and javadoc 
http://wicketstuff.org/core/javadoc7/apidocs/org/wicketstuff/rest/resource/AbstractRestResource.html

Andrea.
> Hi all,
>
> Starting from [this][1] question on stackoverflow, I'm going to ask 
> one thing more.
>
> I've developed a web application in which Apache Wicket plays as "REST 
> backend", it only exposes HTTP Resources, there is an application and 
> there are no pages, and no html related.
> All "frontend" is developed in AngularJS.
>
> Now, I need protection against CSRF attacks. AngularJS documentation 
> says:
>
> To take advantage of this [angular XSRF protection], your server needs 
> to set a token in a
>
> JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET
>
> request. On subsequent non-GET requests the server can verify that the
>
> cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that
>
> only JavaScript running on your domain could have read the token.
>
>
> How can I get this token managed by Apache Wicket?
>
> Are there wicket implementations of such mechanism?
>
> I found /*CsrfPreventionRequestCycleListener*/ but this doesn't 
> protect all requests, it seems to be configured (by default) only to 
> protect ajax requests on components or links; or /*CryptoMapper*/ with 
> /*KeyInSessionSunJceCryptFactory*/, but this does not seem to do what 
> I'm looking for.
> I "just" want to send a token, not to crypt urls, but if guarantees 
> the same protection I'll do.
>
> I've not found so much on documentation, can you help me?
>
>
>   [1]: 
> http://stackoverflow.com/questions/29881338/add-csrf-protection-header-to-wicket-ajax-call#new-answer
>
> Best regards,
> Andrea
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org