Re: Wicket CSRF

[Martin Grigorov <mg...@apache.org>]

On Fri, Oct 30, 2015 at 6:19 PM, Martijn Dashorst <
martijn.dashorst@gmail.com> wrote:

> Use the CsrfPreventionRequestCycleListener. It checks the origin
> header and prevents requests from untrusted origins, which the
> cryptomapper doesn't do. That just encrypts the URLs, making them hard
> to guess, but doesn't prevent anyone from calling such an URL from a
> different origin.
>

This deserves a section at
https://ci.apache.org/projects/wicket/guide/7.x/guide/security.html


>
> Martijn
>
>
> On Fri, Oct 30, 2015 at 4:41 PM, Mihir Chhaya <mi...@gmail.com>
> wrote:
> > Hello,
> >
> > I have read Wicket CSRF related posts on wicket forum before posting this
> > question.
> > I could not find one with detail I am looking for. If I have missed any,
> > please redirect me to the link.
> >
> > I am looking into CSRF and Wicket 7 default settings. Everything seems
> fine
> > with use of CryptoMapper (which by default uses
> > KeyInSessionSunJceCryptFactory) to handle CSRF attack.
> >
> > But I am not sure if Wicket still prevents against CSRF if CryptoMapper
> is
> > not used. Does default mapper inherently uses
> > KeyInSessionSunJceCryptFactory? The documentation says
> > KeyInSessionSunJceCryptFactory is default only for ICrypt implementation
> > objects. If not, then should one use CsrfPreventionRequestCycleListener?
> >
> > If default anti-CSRF is already set like CryptoMapper, which Wicket
> source
> > class I can look into for
> > better understanding?
> >
> > Thanks in advance,
> > -Mihir.
>
>
>
> --
> Become a Wicket expert, learn from the best: http://wicketinaction.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>