You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by tomask79 <to...@embedit.cz> on 2014/10/24 13:37:05 UTC
KeyInSessionSunJceCryptFactory doesn't work in Wicket 6.0
Hi guys,
in order to protect our portal before CSRF attacks we were using
KeyInSessionSunJceCryptFactory as following:
Application class:
.
.
Where PostUrlCryptMapper was just simple filter class ensuring that just
POST URLs will be encrypted:
This was working perfectly in Wicket 1.5!
But now we're migrating to Wicket 6.0 and this stopped working and I don't
see any note in migration guide about this.
I was debugging it and ListenerInterfaceRequestHandler doesn't even
come into CryptoMapper which is why POST action URL still remains
uncrypted....
I even tried the following code in Application class:
Guys, the only URLs which wicket 6.0 is able to encrypt natively are the
Resource URLs, which is pointless in my case....
Yes, I can tweak POST URL's in onUrlMapped in RequestCycle Listener for
example, but I would rather prefer to stick with my previous solution....
Guys please, what is the prefered way of crypting URLs in Wicket 6.0???? In
order to prevent CSFR attacks...
thanks in advance
Tomas
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/KeyInSessionSunJceCryptFactory-doesn-t-work-in-Wicket-6-0-tp4668070.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: KeyInSessionSunJceCryptFactory doesn't work in Wicket 6.0
Posted by Martin Grigorov <mg...@apache.org>.
I'll ask our release manager to cut 6.18 next Friday.
If the testing passes then it will be released around Nov 5.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Fri, Oct 24, 2014 at 3:21 PM, tomask79 <to...@embedit.cz> wrote:
> Thanks a lot Martin for quick reply.
>
> Please when is the release date of 6.18?
>
> thanks and have a nice weekend
>
> T.
>
>
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/KeyInSessionSunJceCryptFactory-doesn-t-work-in-Wicket-6-0-tp4668070p4668072.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: KeyInSessionSunJceCryptFactory doesn't work in Wicket 6.0
Posted by tomask79 <to...@embedit.cz>.
Thanks a lot Martin for quick reply.
Please when is the release date of 6.18?
thanks and have a nice weekend
T.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/KeyInSessionSunJceCryptFactory-doesn-t-work-in-Wicket-6-0-tp4668070p4668072.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: KeyInSessionSunJceCryptFactory doesn't work in Wicket 6.0
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
It has been fixed with https://issues.apache.org/jira/browse/WICKET-5326.
Will be released with 6.18.0.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Fri, Oct 24, 2014 at 2:37 PM, tomask79 <to...@embedit.cz> wrote:
> Hi guys,
>
> in order to protect our portal before CSRF attacks we were using
> KeyInSessionSunJceCryptFactory as following:
>
> Application class:
> .
> .
>
>
> Where PostUrlCryptMapper was just simple filter class ensuring that just
> POST URLs will be encrypted:
>
>
>
> This was working perfectly in Wicket 1.5!
>
> But now we're migrating to Wicket 6.0 and this stopped working and I don't
> see any note in migration guide about this.
>
> I was debugging it and ListenerInterfaceRequestHandler doesn't even
> come into CryptoMapper which is why POST action URL still remains
> uncrypted....
>
> I even tried the following code in Application class:
>
>
> Guys, the only URLs which wicket 6.0 is able to encrypt natively are the
> Resource URLs, which is pointless in my case....
>
> Yes, I can tweak POST URL's in onUrlMapped in RequestCycle Listener for
> example, but I would rather prefer to stick with my previous solution....
>
> Guys please, what is the prefered way of crypting URLs in Wicket 6.0???? In
> order to prevent CSFR attacks...
>
> thanks in advance
>
> Tomas
>
>
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/KeyInSessionSunJceCryptFactory-doesn-t-work-in-Wicket-6-0-tp4668070.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>