Cross Site Request Forgery (CSRF) for T4

[Matthew Cordes <co...@gmail.com>]

Hi all,

I'm looking for a little information about CSRF for Tapestry 4. I found this
page which explains how to add CSRF preventative code to tapestry 5 (
http://wiki.apache.org/tapestry/Tapestry5CSRF). Can anyone recommend a
similar solution for Tapestry4?

If you're familiar with a document that explains how to do it, I'd love to
see it. Failing that, any pointers to places in the code I would need to
extend to do it myself would be greatly appreciated.

-Matt

Re: Cross Site Request Forgery (CSRF) for T4

[Matthew Cordes <co...@gmail.com>]

Thanks Andreas,

I'll give that a shot.



On Mon, Mar 22, 2010 at 8:54 PM, Andreas Andreou <an...@di.uoa.gr> wrote:

> Assuming you just want to protect form submits and that you want to
> implement the cookie + hidden
> field solution it's possible to do this:
>
> 1) Create a CSRFValidator that implements
> org.apache.tapestry.form.validator.Validator (or extends
> BaseValidator)
> and that uses the renderContribution method to add the cookie to the
> response and checks (in the validate method)
> that it matches the hidden value
> 2) Add a Hidden component to each form you want to protect & set it to
> use CSRFValidator - unfortunately, the included
> hidden component doesn't accept the validators parameter (like
> TextField does), so, you'll have to create your own version
> of it.
>
> On Tue, Mar 23, 2010 at 01:49, Matthew Cordes <co...@gmail.com>
> wrote:
> > Hi all,
> >
> > I'm looking for a little information about CSRF for Tapestry 4. I found
> this
> > page which explains how to add CSRF preventative code to tapestry 5 (
> > http://wiki.apache.org/tapestry/Tapestry5CSRF). Can anyone recommend a
> > similar solution for Tapestry4?
> >
> > If you're familiar with a document that explains how to do it, I'd love
> to
> > see it. Failing that, any pointers to places in the code I would need to
> > extend to do it myself would be greatly appreciated.
> >
> > -Matt
> >
>
>
>
> --
> Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
> Tapestry / Tacos developer
> Open Source / JEE Consulting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>

Re: Cross Site Request Forgery (CSRF) for T4

[Andreas Andreou <an...@di.uoa.gr>]

Assuming you just want to protect form submits and that you want to
implement the cookie + hidden
field solution it's possible to do this:

1) Create a CSRFValidator that implements
org.apache.tapestry.form.validator.Validator (or extends
BaseValidator)
and that uses the renderContribution method to add the cookie to the
response and checks (in the validate method)
that it matches the hidden value
2) Add a Hidden component to each form you want to protect & set it to
use CSRFValidator - unfortunately, the included
hidden component doesn't accept the validators parameter (like
TextField does), so, you'll have to create your own version
of it.

On Tue, Mar 23, 2010 at 01:49, Matthew Cordes <co...@gmail.com> wrote:
> Hi all,
>
> I'm looking for a little information about CSRF for Tapestry 4. I found this
> page which explains how to add CSRF preventative code to tapestry 5 (
> http://wiki.apache.org/tapestry/Tapestry5CSRF). Can anyone recommend a
> similar solution for Tapestry4?
>
> If you're familiar with a document that explains how to do it, I'd love to
> see it. Failing that, any pointers to places in the code I would need to
> extend to do it myself would be greatly appreciated.
>
> -Matt
>



-- 
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org