You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by TNO <tn...@free.fr> on 2014/07/15 16:15:40 UTC
Tapestry-csrf-protection with Tapestry-Spring-Security.
Hello,
Is there anybody who already use tapestry-csrf-protection with
Tapestry-Spring-Security ?
tapestry-csrf-protection works out of the box with t:form, but
Tapestry-Spring-Security works with is a simple html form and uses the
Spring HttpServletRequestFilter.
I'm using <input t:type="csrf/hidden"/> in the login form but I can't
check the token value in the filters...
Thanks for any help
Cheers, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry-csrf-protection with Tapestry-Spring-Security.
Posted by TNO <tn...@free.fr>.
The trace :
|java.lang.NullPointerException: Unable to delegate method invocation to property 'request' of <Proxy for RequestGlobals(org.apache.tapestry5.services.RequestGlobals)>, because the property is null.
at $Request_1ce08361bf2a.readProperty(Unknown Source)
at $Request_1ce08361bf2a.getSession(Unknown Source)
at $Request_1ce08361bee0.getSession(Unknown Source)
at org.apache.tapestry5.internal.services.SessionApplicationStatePersistenceStrategy.exists(SessionApplicationStatePersistenceStrategy.java:80)
at $ApplicationStatePersistenceStrategy_1ce08361c07b.exists(Unknown Source)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl$ApplicationStateAdapter.exists(ApplicationStateManagerImpl.java:60)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl.getIfExists(ApplicationStateManagerImpl.java:140)
at $ApplicationStateManager_1ce08361bf33.getIfExists(Unknown Source)
at org.apache.tapestry5.csrfprotection.internal.SessionCsrfTokenRepository.loadToken(SessionCsrfTokenRepository.java:39)
at $CsrfTokenRepository_1ce08361c079.loadToken(Unknown Source)
at $CsrfTokenRepository_1ce08361beff.loadToken(Unknown Source)
at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.checkToken(GemwebCsrfAuthenticationProcessingFilter.java:40)
at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.attemptAuthentication(GemwebCsrfAuthenticationProcessingFilter.java:35)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at nu.localhost.tapestry5.springsecurity.services.internal.HttpServletRequestFilterWrapper.service(HttpServletRequestFilterWrapper.java:52)
...
|
Le 15/07/2014 16:15, TNO a écrit :
> Hello,
>
> Is there anybody who already use tapestry-csrf-protection with
> Tapestry-Spring-Security ?
>
> tapestry-csrf-protection works out of the box with t:form, but
> Tapestry-Spring-Security works with is a simple html form and uses the
> Spring HttpServletRequestFilter.
>
> I'm using <input t:type="csrf/hidden"/> in the login form but I can't
> check the token value in the filters...
>
> Thanks for any help
>
> Cheers, Thomas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Tapestry-csrf-protection with Tapestry-Spring-Security.
Posted by TNO <tn...@free.fr>.
Thanks a lot Eugen !
Le 15/07/2014 22:12, Eugen a écrit :
> Yes, this is the "normal" way, another way is to make a tapestry form, f.e.:
> <t:form>
> <t:textfield value="username" />
> <t:passwordfield value="password" />
> <t:submit />
> </t:form>
>
> and in OnSuccess event something like:
>
> @inject
> AuthenticationManager authenticationManager;
>
> void onSuccess() {
> Authentication authentication = new
> UsernamePasswordAuthenticationToken(username, password);
> Authentication authResult =
> authenticationManager.authenticate(authentication);
> SecurityContextHolder.getContext().setAuthentication(authResult);
> }
> this code throws an AuthenticationException if authentication fails.
>
> Eugen
>
>
> 2014-07-15 19:09 GMT+02:00 TNO <tn...@free.fr>:
>
>> Thanks, but
>>
>> This is a form with an action value
>>
>> <form id="formLogin" action="/j_spring_security_check" method="POST"
>> class="line">
>>
>> This is not a tapestry form (t:form), I don't think I can use the onSuccess
>>
>> Thomas
>>
>> Le 15/07/2014 18:49, Eugen a écrit :
>>
>> Hi,
>>> You can login programatically in onSucces function of a tapestry form.
>>> Best regards
>>> Eugen
>>> Am 15.07.2014 16:16 schrieb "TNO" <tn...@free.fr>:
>>>
>>> Hello,
>>>> Is there anybody who already use tapestry-csrf-protection with
>>>> Tapestry-Spring-Security ?
>>>>
>>>> tapestry-csrf-protection works out of the box with t:form, but
>>>> Tapestry-Spring-Security works with is a simple html form and uses the
>>>> Spring HttpServletRequestFilter.
>>>>
>>>> I'm using <input t:type="csrf/hidden"/> in the login form but I can't
>>>> check the token value in the filters...
>>>>
>>>> Thanks for any help
>>>>
>>>> Cheers, Thomas
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>>>> For additional commands, e-mail: users-help@tapestry.apache.org
>>>>
>>>>
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry-csrf-protection with Tapestry-Spring-Security.
Posted by Eugen <eu...@gmail.com>.
Yes, this is the "normal" way, another way is to make a tapestry form, f.e.:
<t:form>
<t:textfield value="username" />
<t:passwordfield value="password" />
<t:submit />
</t:form>
and in OnSuccess event something like:
@inject
AuthenticationManager authenticationManager;
void onSuccess() {
Authentication authentication = new
UsernamePasswordAuthenticationToken(username, password);
Authentication authResult =
authenticationManager.authenticate(authentication);
SecurityContextHolder.getContext().setAuthentication(authResult);
}
this code throws an AuthenticationException if authentication fails.
Eugen
2014-07-15 19:09 GMT+02:00 TNO <tn...@free.fr>:
> Thanks, but
>
> This is a form with an action value
>
> <form id="formLogin" action="/j_spring_security_check" method="POST"
> class="line">
>
> This is not a tapestry form (t:form), I don't think I can use the onSuccess
>
> Thomas
>
> Le 15/07/2014 18:49, Eugen a écrit :
>
> Hi,
>> You can login programatically in onSucces function of a tapestry form.
>> Best regards
>> Eugen
>> Am 15.07.2014 16:16 schrieb "TNO" <tn...@free.fr>:
>>
>> Hello,
>>>
>>> Is there anybody who already use tapestry-csrf-protection with
>>> Tapestry-Spring-Security ?
>>>
>>> tapestry-csrf-protection works out of the box with t:form, but
>>> Tapestry-Spring-Security works with is a simple html form and uses the
>>> Spring HttpServletRequestFilter.
>>>
>>> I'm using <input t:type="csrf/hidden"/> in the login form but I can't
>>> check the token value in the filters...
>>>
>>> Thanks for any help
>>>
>>> Cheers, Thomas
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>>> For additional commands, e-mail: users-help@tapestry.apache.org
>>>
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Tapestry-csrf-protection with Tapestry-Spring-Security.
Posted by TNO <tn...@free.fr>.
Thanks, but
This is a form with an action value
<form id="formLogin" action="/j_spring_security_check" method="POST"
class="line">
This is not a tapestry form (t:form), I don't think I can use the onSuccess
Thomas
Le 15/07/2014 18:49, Eugen a écrit :
> Hi,
> You can login programatically in onSucces function of a tapestry form.
> Best regards
> Eugen
> Am 15.07.2014 16:16 schrieb "TNO" <tn...@free.fr>:
>
>> Hello,
>>
>> Is there anybody who already use tapestry-csrf-protection with
>> Tapestry-Spring-Security ?
>>
>> tapestry-csrf-protection works out of the box with t:form, but
>> Tapestry-Spring-Security works with is a simple html form and uses the
>> Spring HttpServletRequestFilter.
>>
>> I'm using <input t:type="csrf/hidden"/> in the login form but I can't
>> check the token value in the filters...
>>
>> Thanks for any help
>>
>> Cheers, Thomas
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry-csrf-protection with Tapestry-Spring-Security.
Posted by Eugen <eu...@gmail.com>.
Hi,
You can login programatically in onSucces function of a tapestry form.
Best regards
Eugen
Am 15.07.2014 16:16 schrieb "TNO" <tn...@free.fr>:
> Hello,
>
> Is there anybody who already use tapestry-csrf-protection with
> Tapestry-Spring-Security ?
>
> tapestry-csrf-protection works out of the box with t:form, but
> Tapestry-Spring-Security works with is a simple html form and uses the
> Spring HttpServletRequestFilter.
>
> I'm using <input t:type="csrf/hidden"/> in the login form but I can't
> check the token value in the filters...
>
> Thanks for any help
>
> Cheers, Thomas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>