You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Maxim Solodovnik <so...@gmail.com> on 2017/05/11 03:44:35 UTC
WebSockets and CsrfPreventionRequestCycleListener
Hello All,
just have tried to add CsrfPreventionRequestCycleListener to our application
everything seems to work except for Websockets :(
Now I'm getting
[INFO] [http-nio-0.0.0.0-5080-exec-9]
org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
Possible CSRF attack, request URL:
/openmeetings/wicket/websocket?pageId=1&wicket-ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
Origin: null, action: aborted with error 400 Origin does not
correspond to request
[WARN] [http-nio-0.0.0.0-5080-exec-9]
org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
response in WebSocket communication would not be processed by the
browser! If you need to send the error code and message to the client
then configure custom WebSocketResponse via
WebSocketSettings#newWebSocketResponse() factory method and override
#sendError() method to write them in an appropriate format for your
application. The ignored error code is '400' and the message: 'Origin
does not correspond to request'.
in the logs ...
What should I do to set Origin for Websockets?
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks a lot Martin!
Will check as soon as I get back from vacation :)
WBR, Maxim
(from mobile, sorry for the typos)
On May 31, 2017 22:38, "Martin Grigorov" <mg...@apache.org> wrote:
> https://issues.apache.org/jira/browse/WICKET-6389
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Tue, May 16, 2017 at 5:10 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
> > I just have checked CsrfPreventionRequestCycleListener with overriden
> > isChecked and it produces no errors
> >
> > I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :)
> >
> > On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mg...@apache.org>
> > wrote:
> > > Hi Maxim,
> > >
> > > You can use
> > >
> > > getRequestCycleListeners().add(new CsrfPreventionRequestCycleList
> ener()
> > {
> > > @Override
> > > protected boolean isChecked(IRequestHandler handler)
> > > {
> > > if (handler instanceof WebSocketRequestHandler || handler instanceof
> > > WebSocketMessageBroadcastHandler) {
> > > return false;
> > > }
> > > return super.isChecked(handler);
> > > }
> > > });
> > >
> > >
> > > The upgrade request has a proper Origin header:
> > >
> > >
> > > 1. Accept-Encoding:
> > > gzip, deflate, sdch, br
> > > 2. Accept-Language:
> > > en-US,en;q=0.8,bg;q=0.6
> > > 3. Cache-Control:
> > > no-cache
> > > 4. Connection:
> > > Upgrade
> > > 5. Cookie:
> > > ....
> > > 6. DNT:
> > > 1
> > > 7. Host:
> > > localhost:8080
> > > 8. Origin:
> > > http://localhost:8080
> > > 9. Pragma:
> > > no-cache
> > > 10. Sec-WebSocket-Extensions:
> > > permessage-deflate; client_max_window_bits
> > > 11. Sec-WebSocket-Key:
> > > FcSNIsIh3HO95UGmMUA27g==
> > > 12. Sec-WebSocket-Version:
> > > 13
> > > 13. Upgrade:
> > > websocket
> > > 14. User-Agent:
> > > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
> Gecko)
> > > Chrome/57.0.2987.110 Safari/537.36
> > > 15.
> > >
> > > But the following communication is via the WebSocket connection and the
> > > packets there do not bring request headers.
> > > Wicket Native WebSocket module creates WebSocketRequest for each WS
> > message
> > > and those do no have request headers, so they can be safely ignored.
> > > Maybe we can introduce WebSocketAwareCsrfPreventionRe
> questCycleListener
> > in
> > > wicket-native-websocket-core and recommend its usage when the app uses
> > > WebSockets ?!
> > >
> > > Martin Grigorov
> > > Wicket Training and Consulting
> > > https://twitter.com/mtgrigorov
> > >
> > > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <
> solomax666@gmail.com
> > >
> > > wrote:
> > >
> > >> Example project demonstrating it is here:
> > >> https://github.com/solomax/ajax-download
> > >>
> > >>
> > >> html with WebSocket.send:
> > >> https://github.com/solomax/ajax-download/commit/
> > >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
> > >> 217ea4d3217197ce4ece382e050a7302R26
> > >>
> > >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <
> solomax666@gmail.com
> > >
> > >> wrote:
> > >> > Thanks a lot for checking Martin,
> > >> >
> > >> > The issue seems to be caused by following code in *.html
> (reproducible
> > >> > using quickstart)
> > >> >
> > >> > <script type="text/javascript">
> > >> > $(function() {
> > >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
> > >> function() {
> > >> > Wicket.WebSocket.send("socketConnected");
> > >> > });
> > >> > });
> > >> > </script>
> > >> >
> > >> > I guess I need to manually set missing headers in such call
> > >> >
> > >> > Can you please help to set necessary headers?
> > >> >
> > >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <
> > mgrigorov@apache.org>
> > >> wrote:
> > >> >> Hi Maxim,
> > >> >>
> > >> >> Just adding getRequestCycleListeners().add(new
> > >> >> CsrfPreventionRequestCycleListener());
> > >> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
> > >> doesn't
> > >> >> lead to any error.
> > >> >>
> > >> >> Martin Grigorov
> > >> >> Wicket Training and Consulting
> > >> >> https://twitter.com/mtgrigorov
> > >> >>
> > >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <
> > solomax666@gmail.com
> > >> >
> > >> >> wrote:
> > >> >>
> > >> >>> Hello Martin,
> > >> >>>
> > >> >>> were you able to take a look at it?
> > >> >>> I was hoping to have M6 with working Csrf+WebSockets ....
> > >> >>>
> > >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
> > >> solomax666@gmail.com>
> > >> >>> wrote:
> > >> >>> > Thanks a million, Martin :)
> > >> >>> >
> > >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
> > >> mgrigorov@apache.org>
> > >> >>> wrote:
> > >> >>> >> Hi Maxim,
> > >> >>> >>
> > >> >>> >> I don't use this combination.
> > >> >>> >> But I will try to test it soon and see what can be done.
> > >> >>> >>
> > >> >>> >> Martin Grigorov
> > >> >>> >> Wicket Training and Consulting
> > >> >>> >> https://twitter.com/mtgrigorov
> > >> >>> >>
> > >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
> > >> >>> solomax666@gmail.com>
> > >> >>> >> wrote:
> > >> >>> >>
> > >> >>> >>> Does anybody uses this filter?
> > >> >>> >>>
> > >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
> > >> >>> solomax666@gmail.com>
> > >> >>> >>> wrote:
> > >> >>> >>> > Hello All,
> > >> >>> >>> >
> > >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener
> to
> > our
> > >> >>> >>> application
> > >> >>> >>> > everything seems to work except for Websockets :(
> > >> >>> >>> >
> > >> >>> >>> > Now I'm getting
> > >> >>> >>> >
> > >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> > >> >>> >>> > org.apache.wicket.protocol.http.
> > CsrfPreventionRequestCycleListener
> > >> -
> > >> >>> >>> > Possible CSRF attack, request URL:
> > >> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
> > >> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> > >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
> > >> >>> >>> > correspond to request
> > >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> > >> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An
> HTTP
> > >> error
> > >> >>> >>> > response in WebSocket communication would not be processed
> by
> > the
> > >> >>> >>> > browser! If you need to send the error code and message to
> the
> > >> client
> > >> >>> >>> > then configure custom WebSocketResponse via
> > >> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
> > >> override
> > >> >>> >>> > #sendError() method to write them in an appropriate format
> for
> > >> your
> > >> >>> >>> > application. The ignored error code is '400' and the
> message:
> > >> 'Origin
> > >> >>> >>> > does not correspond to request'.
> > >> >>> >>> >
> > >> >>> >>> > in the logs ...
> > >> >>> >>> > What should I do to set Origin for Websockets?
> > >> >>> >>> >
> > >> >>> >>> > --
> > >> >>> >>> > WBR
> > >> >>> >>> > Maxim aka solomax
> > >> >>> >>>
> > >> >>> >>>
> > >> >>> >>>
> > >> >>> >>> --
> > >> >>> >>> WBR
> > >> >>> >>> Maxim aka solomax
> > >> >>> >>>
> > >> >>> >>> ------------------------------------------------------------
> > >> ---------
> > >> >>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > >> >>> >>> For additional commands, e-mail: users-help@wicket.apache.org
> > >> >>> >>>
> > >> >>> >>>
> > >> >>> >
> > >> >>> >
> > >> >>> >
> > >> >>> > --
> > >> >>> > WBR
> > >> >>> > Maxim aka solomax
> > >> >>>
> > >> >>>
> > >> >>>
> > >> >>> --
> > >> >>> WBR
> > >> >>> Maxim aka solomax
> > >> >>>
> > >> >>> ------------------------------------------------------------
> > ---------
> > >> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > >> >>> For additional commands, e-mail: users-help@wicket.apache.org
> > >> >>>
> > >> >>>
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > WBR
> > >> > Maxim aka solomax
> > >>
> > >>
> > >>
> > >> --
> > >> WBR
> > >> Maxim aka solomax
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > >> For additional commands, e-mail: users-help@wicket.apache.org
> > >>
> > >>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Martin Grigorov <mg...@apache.org>.
https://issues.apache.org/jira/browse/WICKET-6389
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Tue, May 16, 2017 at 5:10 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> I just have checked CsrfPreventionRequestCycleListener with overriden
> isChecked and it produces no errors
>
> I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :)
>
> On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mg...@apache.org>
> wrote:
> > Hi Maxim,
> >
> > You can use
> >
> > getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()
> {
> > @Override
> > protected boolean isChecked(IRequestHandler handler)
> > {
> > if (handler instanceof WebSocketRequestHandler || handler instanceof
> > WebSocketMessageBroadcastHandler) {
> > return false;
> > }
> > return super.isChecked(handler);
> > }
> > });
> >
> >
> > The upgrade request has a proper Origin header:
> >
> >
> > 1. Accept-Encoding:
> > gzip, deflate, sdch, br
> > 2. Accept-Language:
> > en-US,en;q=0.8,bg;q=0.6
> > 3. Cache-Control:
> > no-cache
> > 4. Connection:
> > Upgrade
> > 5. Cookie:
> > ....
> > 6. DNT:
> > 1
> > 7. Host:
> > localhost:8080
> > 8. Origin:
> > http://localhost:8080
> > 9. Pragma:
> > no-cache
> > 10. Sec-WebSocket-Extensions:
> > permessage-deflate; client_max_window_bits
> > 11. Sec-WebSocket-Key:
> > FcSNIsIh3HO95UGmMUA27g==
> > 12. Sec-WebSocket-Version:
> > 13
> > 13. Upgrade:
> > websocket
> > 14. User-Agent:
> > Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> > Chrome/57.0.2987.110 Safari/537.36
> > 15.
> >
> > But the following communication is via the WebSocket connection and the
> > packets there do not bring request headers.
> > Wicket Native WebSocket module creates WebSocketRequest for each WS
> message
> > and those do no have request headers, so they can be safely ignored.
> > Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener
> in
> > wicket-native-websocket-core and recommend its usage when the app uses
> > WebSockets ?!
> >
> > Martin Grigorov
> > Wicket Training and Consulting
> > https://twitter.com/mtgrigorov
> >
> > On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <solomax666@gmail.com
> >
> > wrote:
> >
> >> Example project demonstrating it is here:
> >> https://github.com/solomax/ajax-download
> >>
> >>
> >> html with WebSocket.send:
> >> https://github.com/solomax/ajax-download/commit/
> >> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
> >> 217ea4d3217197ce4ece382e050a7302R26
> >>
> >> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <solomax666@gmail.com
> >
> >> wrote:
> >> > Thanks a lot for checking Martin,
> >> >
> >> > The issue seems to be caused by following code in *.html (reproducible
> >> > using quickstart)
> >> >
> >> > <script type="text/javascript">
> >> > $(function() {
> >> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
> >> function() {
> >> > Wicket.WebSocket.send("socketConnected");
> >> > });
> >> > });
> >> > </script>
> >> >
> >> > I guess I need to manually set missing headers in such call
> >> >
> >> > Can you please help to set necessary headers?
> >> >
> >> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <
> mgrigorov@apache.org>
> >> wrote:
> >> >> Hi Maxim,
> >> >>
> >> >> Just adding getRequestCycleListeners().add(new
> >> >> CsrfPreventionRequestCycleListener());
> >> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
> >> doesn't
> >> >> lead to any error.
> >> >>
> >> >> Martin Grigorov
> >> >> Wicket Training and Consulting
> >> >> https://twitter.com/mtgrigorov
> >> >>
> >> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <
> solomax666@gmail.com
> >> >
> >> >> wrote:
> >> >>
> >> >>> Hello Martin,
> >> >>>
> >> >>> were you able to take a look at it?
> >> >>> I was hoping to have M6 with working Csrf+WebSockets ....
> >> >>>
> >> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
> >> solomax666@gmail.com>
> >> >>> wrote:
> >> >>> > Thanks a million, Martin :)
> >> >>> >
> >> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
> >> mgrigorov@apache.org>
> >> >>> wrote:
> >> >>> >> Hi Maxim,
> >> >>> >>
> >> >>> >> I don't use this combination.
> >> >>> >> But I will try to test it soon and see what can be done.
> >> >>> >>
> >> >>> >> Martin Grigorov
> >> >>> >> Wicket Training and Consulting
> >> >>> >> https://twitter.com/mtgrigorov
> >> >>> >>
> >> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
> >> >>> solomax666@gmail.com>
> >> >>> >> wrote:
> >> >>> >>
> >> >>> >>> Does anybody uses this filter?
> >> >>> >>>
> >> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
> >> >>> solomax666@gmail.com>
> >> >>> >>> wrote:
> >> >>> >>> > Hello All,
> >> >>> >>> >
> >> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to
> our
> >> >>> >>> application
> >> >>> >>> > everything seems to work except for Websockets :(
> >> >>> >>> >
> >> >>> >>> > Now I'm getting
> >> >>> >>> >
> >> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> >> >>> >>> > org.apache.wicket.protocol.http.
> CsrfPreventionRequestCycleListener
> >> -
> >> >>> >>> > Possible CSRF attack, request URL:
> >> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
> >> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> >> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
> >> >>> >>> > correspond to request
> >> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> >> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP
> >> error
> >> >>> >>> > response in WebSocket communication would not be processed by
> the
> >> >>> >>> > browser! If you need to send the error code and message to the
> >> client
> >> >>> >>> > then configure custom WebSocketResponse via
> >> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
> >> override
> >> >>> >>> > #sendError() method to write them in an appropriate format for
> >> your
> >> >>> >>> > application. The ignored error code is '400' and the message:
> >> 'Origin
> >> >>> >>> > does not correspond to request'.
> >> >>> >>> >
> >> >>> >>> > in the logs ...
> >> >>> >>> > What should I do to set Origin for Websockets?
> >> >>> >>> >
> >> >>> >>> > --
> >> >>> >>> > WBR
> >> >>> >>> > Maxim aka solomax
> >> >>> >>>
> >> >>> >>>
> >> >>> >>>
> >> >>> >>> --
> >> >>> >>> WBR
> >> >>> >>> Maxim aka solomax
> >> >>> >>>
> >> >>> >>> ------------------------------------------------------------
> >> ---------
> >> >>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> >>> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >> >>> >>>
> >> >>> >>>
> >> >>> >
> >> >>> >
> >> >>> >
> >> >>> > --
> >> >>> > WBR
> >> >>> > Maxim aka solomax
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> WBR
> >> >>> Maxim aka solomax
> >> >>>
> >> >>> ------------------------------------------------------------
> ---------
> >> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >> >>>
> >> >>>
> >> >
> >> >
> >> >
> >> > --
> >> > WBR
> >> > Maxim aka solomax
> >>
> >>
> >>
> >> --
> >> WBR
> >> Maxim aka solomax
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >> For additional commands, e-mail: users-help@wicket.apache.org
> >>
> >>
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
I just have checked CsrfPreventionRequestCycleListener with overriden
isChecked and it produces no errors
I would vote for WebSocketAwareCsrfPreventionRequestCycleListener :)
On Tue, May 16, 2017 at 5:50 AM, Martin Grigorov <mg...@apache.org> wrote:
> Hi Maxim,
>
> You can use
>
> getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {
> @Override
> protected boolean isChecked(IRequestHandler handler)
> {
> if (handler instanceof WebSocketRequestHandler || handler instanceof
> WebSocketMessageBroadcastHandler) {
> return false;
> }
> return super.isChecked(handler);
> }
> });
>
>
> The upgrade request has a proper Origin header:
>
>
> 1. Accept-Encoding:
> gzip, deflate, sdch, br
> 2. Accept-Language:
> en-US,en;q=0.8,bg;q=0.6
> 3. Cache-Control:
> no-cache
> 4. Connection:
> Upgrade
> 5. Cookie:
> ....
> 6. DNT:
> 1
> 7. Host:
> localhost:8080
> 8. Origin:
> http://localhost:8080
> 9. Pragma:
> no-cache
> 10. Sec-WebSocket-Extensions:
> permessage-deflate; client_max_window_bits
> 11. Sec-WebSocket-Key:
> FcSNIsIh3HO95UGmMUA27g==
> 12. Sec-WebSocket-Version:
> 13
> 13. Upgrade:
> websocket
> 14. User-Agent:
> Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/57.0.2987.110 Safari/537.36
> 15.
>
> But the following communication is via the WebSocket connection and the
> packets there do not bring request headers.
> Wicket Native WebSocket module creates WebSocketRequest for each WS message
> and those do no have request headers, so they can be safely ignored.
> Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in
> wicket-native-websocket-core and recommend its usage when the app uses
> WebSockets ?!
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> Example project demonstrating it is here:
>> https://github.com/solomax/ajax-download
>>
>>
>> html with WebSocket.send:
>> https://github.com/solomax/ajax-download/commit/
>> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
>> 217ea4d3217197ce4ece382e050a7302R26
>>
>> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > Thanks a lot for checking Martin,
>> >
>> > The issue seems to be caused by following code in *.html (reproducible
>> > using quickstart)
>> >
>> > <script type="text/javascript">
>> > $(function() {
>> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
>> function() {
>> > Wicket.WebSocket.send("socketConnected");
>> > });
>> > });
>> > </script>
>> >
>> > I guess I need to manually set missing headers in such call
>> >
>> > Can you please help to set necessary headers?
>> >
>> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mg...@apache.org>
>> wrote:
>> >> Hi Maxim,
>> >>
>> >> Just adding getRequestCycleListeners().add(new
>> >> CsrfPreventionRequestCycleListener());
>> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
>> doesn't
>> >> lead to any error.
>> >>
>> >> Martin Grigorov
>> >> Wicket Training and Consulting
>> >> https://twitter.com/mtgrigorov
>> >>
>> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <solomax666@gmail.com
>> >
>> >> wrote:
>> >>
>> >>> Hello Martin,
>> >>>
>> >>> were you able to take a look at it?
>> >>> I was hoping to have M6 with working Csrf+WebSockets ....
>> >>>
>> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
>> solomax666@gmail.com>
>> >>> wrote:
>> >>> > Thanks a million, Martin :)
>> >>> >
>> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
>> mgrigorov@apache.org>
>> >>> wrote:
>> >>> >> Hi Maxim,
>> >>> >>
>> >>> >> I don't use this combination.
>> >>> >> But I will try to test it soon and see what can be done.
>> >>> >>
>> >>> >> Martin Grigorov
>> >>> >> Wicket Training and Consulting
>> >>> >> https://twitter.com/mtgrigorov
>> >>> >>
>> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
>> >>> solomax666@gmail.com>
>> >>> >> wrote:
>> >>> >>
>> >>> >>> Does anybody uses this filter?
>> >>> >>>
>> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
>> >>> solomax666@gmail.com>
>> >>> >>> wrote:
>> >>> >>> > Hello All,
>> >>> >>> >
>> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
>> >>> >>> application
>> >>> >>> > everything seems to work except for Websockets :(
>> >>> >>> >
>> >>> >>> > Now I'm getting
>> >>> >>> >
>> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
>> -
>> >>> >>> > Possible CSRF attack, request URL:
>> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
>> >>> >>> > correspond to request
>> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP
>> error
>> >>> >>> > response in WebSocket communication would not be processed by the
>> >>> >>> > browser! If you need to send the error code and message to the
>> client
>> >>> >>> > then configure custom WebSocketResponse via
>> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
>> override
>> >>> >>> > #sendError() method to write them in an appropriate format for
>> your
>> >>> >>> > application. The ignored error code is '400' and the message:
>> 'Origin
>> >>> >>> > does not correspond to request'.
>> >>> >>> >
>> >>> >>> > in the logs ...
>> >>> >>> > What should I do to set Origin for Websockets?
>> >>> >>> >
>> >>> >>> > --
>> >>> >>> > WBR
>> >>> >>> > Maxim aka solomax
>> >>> >>>
>> >>> >>>
>> >>> >>>
>> >>> >>> --
>> >>> >>> WBR
>> >>> >>> Maxim aka solomax
>> >>> >>>
>> >>> >>> ------------------------------------------------------------
>> ---------
>> >>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> >>> >>> For additional commands, e-mail: users-help@wicket.apache.org
>> >>> >>>
>> >>> >>>
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > WBR
>> >>> > Maxim aka solomax
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> WBR
>> >>> Maxim aka solomax
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> >>> For additional commands, e-mail: users-help@wicket.apache.org
>> >>>
>> >>>
>> >
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Martin Grigorov <mg...@apache.org>.
Hi Maxim,
You can use
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener() {
@Override
protected boolean isChecked(IRequestHandler handler)
{
if (handler instanceof WebSocketRequestHandler || handler instanceof
WebSocketMessageBroadcastHandler) {
return false;
}
return super.isChecked(handler);
}
});
The upgrade request has a proper Origin header:
1. Accept-Encoding:
gzip, deflate, sdch, br
2. Accept-Language:
en-US,en;q=0.8,bg;q=0.6
3. Cache-Control:
no-cache
4. Connection:
Upgrade
5. Cookie:
....
6. DNT:
1
7. Host:
localhost:8080
8. Origin:
http://localhost:8080
9. Pragma:
no-cache
10. Sec-WebSocket-Extensions:
permessage-deflate; client_max_window_bits
11. Sec-WebSocket-Key:
FcSNIsIh3HO95UGmMUA27g==
12. Sec-WebSocket-Version:
13
13. Upgrade:
websocket
14. User-Agent:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/57.0.2987.110 Safari/537.36
15.
But the following communication is via the WebSocket connection and the
packets there do not bring request headers.
Wicket Native WebSocket module creates WebSocketRequest for each WS message
and those do no have request headers, so they can be safely ignored.
Maybe we can introduce WebSocketAwareCsrfPreventionRequestCycleListener in
wicket-native-websocket-core and recommend its usage when the app uses
WebSockets ?!
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Mon, May 15, 2017 at 11:26 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Example project demonstrating it is here:
> https://github.com/solomax/ajax-download
>
>
> html with WebSocket.send:
> https://github.com/solomax/ajax-download/commit/
> 84af661b1e5e110419f17dbf9295547c135a0cc5#diff-
> 217ea4d3217197ce4ece382e050a7302R26
>
> On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > Thanks a lot for checking Martin,
> >
> > The issue seems to be caused by following code in *.html (reproducible
> > using quickstart)
> >
> > <script type="text/javascript">
> > $(function() {
> > Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened,
> function() {
> > Wicket.WebSocket.send("socketConnected");
> > });
> > });
> > </script>
> >
> > I guess I need to manually set missing headers in such call
> >
> > Can you please help to set necessary headers?
> >
> > On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mg...@apache.org>
> wrote:
> >> Hi Maxim,
> >>
> >> Just adding getRequestCycleListeners().add(new
> >> CsrfPreventionRequestCycleListener());
> >> to org.apache.wicket.examples.websocket.JSR356Application#init()
> doesn't
> >> lead to any error.
> >>
> >> Martin Grigorov
> >> Wicket Training and Consulting
> >> https://twitter.com/mtgrigorov
> >>
> >> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <solomax666@gmail.com
> >
> >> wrote:
> >>
> >>> Hello Martin,
> >>>
> >>> were you able to take a look at it?
> >>> I was hoping to have M6 with working Csrf+WebSockets ....
> >>>
> >>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <
> solomax666@gmail.com>
> >>> wrote:
> >>> > Thanks a million, Martin :)
> >>> >
> >>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <
> mgrigorov@apache.org>
> >>> wrote:
> >>> >> Hi Maxim,
> >>> >>
> >>> >> I don't use this combination.
> >>> >> But I will try to test it soon and see what can be done.
> >>> >>
> >>> >> Martin Grigorov
> >>> >> Wicket Training and Consulting
> >>> >> https://twitter.com/mtgrigorov
> >>> >>
> >>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
> >>> solomax666@gmail.com>
> >>> >> wrote:
> >>> >>
> >>> >>> Does anybody uses this filter?
> >>> >>>
> >>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
> >>> solomax666@gmail.com>
> >>> >>> wrote:
> >>> >>> > Hello All,
> >>> >>> >
> >>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
> >>> >>> application
> >>> >>> > everything seems to work except for Websockets :(
> >>> >>> >
> >>> >>> > Now I'm getting
> >>> >>> >
> >>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> >>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener
> -
> >>> >>> > Possible CSRF attack, request URL:
> >>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
> >>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> >>> >>> > Origin: null, action: aborted with error 400 Origin does not
> >>> >>> > correspond to request
> >>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> >>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP
> error
> >>> >>> > response in WebSocket communication would not be processed by the
> >>> >>> > browser! If you need to send the error code and message to the
> client
> >>> >>> > then configure custom WebSocketResponse via
> >>> >>> > WebSocketSettings#newWebSocketResponse() factory method and
> override
> >>> >>> > #sendError() method to write them in an appropriate format for
> your
> >>> >>> > application. The ignored error code is '400' and the message:
> 'Origin
> >>> >>> > does not correspond to request'.
> >>> >>> >
> >>> >>> > in the logs ...
> >>> >>> > What should I do to set Origin for Websockets?
> >>> >>> >
> >>> >>> > --
> >>> >>> > WBR
> >>> >>> > Maxim aka solomax
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>> --
> >>> >>> WBR
> >>> >>> Maxim aka solomax
> >>> >>>
> >>> >>> ------------------------------------------------------------
> ---------
> >>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >>> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >>> >>>
> >>> >>>
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > WBR
> >>> > Maxim aka solomax
> >>>
> >>>
> >>>
> >>> --
> >>> WBR
> >>> Maxim aka solomax
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >>>
> >>>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Example project demonstrating it is here:
https://github.com/solomax/ajax-download
html with WebSocket.send:
https://github.com/solomax/ajax-download/commit/84af661b1e5e110419f17dbf9295547c135a0cc5#diff-217ea4d3217197ce4ece382e050a7302R26
On Mon, May 15, 2017 at 3:14 PM, Maxim Solodovnik <so...@gmail.com> wrote:
> Thanks a lot for checking Martin,
>
> The issue seems to be caused by following code in *.html (reproducible
> using quickstart)
>
> <script type="text/javascript">
> $(function() {
> Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, function() {
> Wicket.WebSocket.send("socketConnected");
> });
> });
> </script>
>
> I guess I need to manually set missing headers in such call
>
> Can you please help to set necessary headers?
>
> On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mg...@apache.org> wrote:
>> Hi Maxim,
>>
>> Just adding getRequestCycleListeners().add(new
>> CsrfPreventionRequestCycleListener());
>> to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't
>> lead to any error.
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>>
>>> Hello Martin,
>>>
>>> were you able to take a look at it?
>>> I was hoping to have M6 with working Csrf+WebSockets ....
>>>
>>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <so...@gmail.com>
>>> wrote:
>>> > Thanks a million, Martin :)
>>> >
>>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mg...@apache.org>
>>> wrote:
>>> >> Hi Maxim,
>>> >>
>>> >> I don't use this combination.
>>> >> But I will try to test it soon and see what can be done.
>>> >>
>>> >> Martin Grigorov
>>> >> Wicket Training and Consulting
>>> >> https://twitter.com/mtgrigorov
>>> >>
>>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
>>> solomax666@gmail.com>
>>> >> wrote:
>>> >>
>>> >>> Does anybody uses this filter?
>>> >>>
>>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
>>> solomax666@gmail.com>
>>> >>> wrote:
>>> >>> > Hello All,
>>> >>> >
>>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
>>> >>> application
>>> >>> > everything seems to work except for Websockets :(
>>> >>> >
>>> >>> > Now I'm getting
>>> >>> >
>>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
>>> >>> > Possible CSRF attack, request URL:
>>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>>> >>> > Origin: null, action: aborted with error 400 Origin does not
>>> >>> > correspond to request
>>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
>>> >>> > response in WebSocket communication would not be processed by the
>>> >>> > browser! If you need to send the error code and message to the client
>>> >>> > then configure custom WebSocketResponse via
>>> >>> > WebSocketSettings#newWebSocketResponse() factory method and override
>>> >>> > #sendError() method to write them in an appropriate format for your
>>> >>> > application. The ignored error code is '400' and the message: 'Origin
>>> >>> > does not correspond to request'.
>>> >>> >
>>> >>> > in the logs ...
>>> >>> > What should I do to set Origin for Websockets?
>>> >>> >
>>> >>> > --
>>> >>> > WBR
>>> >>> > Maxim aka solomax
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> WBR
>>> >>> Maxim aka solomax
>>> >>>
>>> >>> ---------------------------------------------------------------------
>>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> >>> For additional commands, e-mail: users-help@wicket.apache.org
>>> >>>
>>> >>>
>>> >
>>> >
>>> >
>>> > --
>>> > WBR
>>> > Maxim aka solomax
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>
>
>
> --
> WBR
> Maxim aka solomax
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks a lot for checking Martin,
The issue seems to be caused by following code in *.html (reproducible
using quickstart)
<script type="text/javascript">
$(function() {
Wicket.Event.subscribe(Wicket.Event.Topic.WebSocket.Opened, function() {
Wicket.WebSocket.send("socketConnected");
});
});
</script>
I guess I need to manually set missing headers in such call
Can you please help to set necessary headers?
On Mon, May 15, 2017 at 1:50 PM, Martin Grigorov <mg...@apache.org> wrote:
> Hi Maxim,
>
> Just adding getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener());
> to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't
> lead to any error.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> Hello Martin,
>>
>> were you able to take a look at it?
>> I was hoping to have M6 with working Csrf+WebSockets ....
>>
>> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > Thanks a million, Martin :)
>> >
>> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mg...@apache.org>
>> wrote:
>> >> Hi Maxim,
>> >>
>> >> I don't use this combination.
>> >> But I will try to test it soon and see what can be done.
>> >>
>> >> Martin Grigorov
>> >> Wicket Training and Consulting
>> >> https://twitter.com/mtgrigorov
>> >>
>> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
>> solomax666@gmail.com>
>> >> wrote:
>> >>
>> >>> Does anybody uses this filter?
>> >>>
>> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
>> solomax666@gmail.com>
>> >>> wrote:
>> >>> > Hello All,
>> >>> >
>> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
>> >>> application
>> >>> > everything seems to work except for Websockets :(
>> >>> >
>> >>> > Now I'm getting
>> >>> >
>> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
>> >>> > Possible CSRF attack, request URL:
>> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>> >>> > Origin: null, action: aborted with error 400 Origin does not
>> >>> > correspond to request
>> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
>> >>> > response in WebSocket communication would not be processed by the
>> >>> > browser! If you need to send the error code and message to the client
>> >>> > then configure custom WebSocketResponse via
>> >>> > WebSocketSettings#newWebSocketResponse() factory method and override
>> >>> > #sendError() method to write them in an appropriate format for your
>> >>> > application. The ignored error code is '400' and the message: 'Origin
>> >>> > does not correspond to request'.
>> >>> >
>> >>> > in the logs ...
>> >>> > What should I do to set Origin for Websockets?
>> >>> >
>> >>> > --
>> >>> > WBR
>> >>> > Maxim aka solomax
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> WBR
>> >>> Maxim aka solomax
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> >>> For additional commands, e-mail: users-help@wicket.apache.org
>> >>>
>> >>>
>> >
>> >
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Martin Grigorov <mg...@apache.org>.
Hi Maxim,
Just adding getRequestCycleListeners().add(new
CsrfPreventionRequestCycleListener());
to org.apache.wicket.examples.websocket.JSR356Application#init() doesn't
lead to any error.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Mon, May 15, 2017 at 7:54 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Hello Martin,
>
> were you able to take a look at it?
> I was hoping to have M6 with working Csrf+WebSockets ....
>
> On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > Thanks a million, Martin :)
> >
> > On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mg...@apache.org>
> wrote:
> >> Hi Maxim,
> >>
> >> I don't use this combination.
> >> But I will try to test it soon and see what can be done.
> >>
> >> Martin Grigorov
> >> Wicket Training and Consulting
> >> https://twitter.com/mtgrigorov
> >>
> >> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <
> solomax666@gmail.com>
> >> wrote:
> >>
> >>> Does anybody uses this filter?
> >>>
> >>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <
> solomax666@gmail.com>
> >>> wrote:
> >>> > Hello All,
> >>> >
> >>> > just have tried to add CsrfPreventionRequestCycleListener to our
> >>> application
> >>> > everything seems to work except for Websockets :(
> >>> >
> >>> > Now I'm getting
> >>> >
> >>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> >>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
> >>> > Possible CSRF attack, request URL:
> >>> > /openmeetings/wicket/websocket?pageId=1&wicket-
> >>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> >>> > Origin: null, action: aborted with error 400 Origin does not
> >>> > correspond to request
> >>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> >>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
> >>> > response in WebSocket communication would not be processed by the
> >>> > browser! If you need to send the error code and message to the client
> >>> > then configure custom WebSocketResponse via
> >>> > WebSocketSettings#newWebSocketResponse() factory method and override
> >>> > #sendError() method to write them in an appropriate format for your
> >>> > application. The ignored error code is '400' and the message: 'Origin
> >>> > does not correspond to request'.
> >>> >
> >>> > in the logs ...
> >>> > What should I do to set Origin for Websockets?
> >>> >
> >>> > --
> >>> > WBR
> >>> > Maxim aka solomax
> >>>
> >>>
> >>>
> >>> --
> >>> WBR
> >>> Maxim aka solomax
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >>>
> >>>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Martin,
were you able to take a look at it?
I was hoping to have M6 with working Csrf+WebSockets ....
On Fri, May 12, 2017 at 4:45 PM, Maxim Solodovnik <so...@gmail.com> wrote:
> Thanks a million, Martin :)
>
> On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mg...@apache.org> wrote:
>> Hi Maxim,
>>
>> I don't use this combination.
>> But I will try to test it soon and see what can be done.
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>>
>>> Does anybody uses this filter?
>>>
>>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <so...@gmail.com>
>>> wrote:
>>> > Hello All,
>>> >
>>> > just have tried to add CsrfPreventionRequestCycleListener to our
>>> application
>>> > everything seems to work except for Websockets :(
>>> >
>>> > Now I'm getting
>>> >
>>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
>>> > Possible CSRF attack, request URL:
>>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>>> > Origin: null, action: aborted with error 400 Origin does not
>>> > correspond to request
>>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
>>> > response in WebSocket communication would not be processed by the
>>> > browser! If you need to send the error code and message to the client
>>> > then configure custom WebSocketResponse via
>>> > WebSocketSettings#newWebSocketResponse() factory method and override
>>> > #sendError() method to write them in an appropriate format for your
>>> > application. The ignored error code is '400' and the message: 'Origin
>>> > does not correspond to request'.
>>> >
>>> > in the logs ...
>>> > What should I do to set Origin for Websockets?
>>> >
>>> > --
>>> > WBR
>>> > Maxim aka solomax
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>
>
>
> --
> WBR
> Maxim aka solomax
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks a million, Martin :)
On Fri, May 12, 2017 at 4:34 PM, Martin Grigorov <mg...@apache.org> wrote:
> Hi Maxim,
>
> I don't use this combination.
> But I will try to test it soon and see what can be done.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
>
>> Does anybody uses this filter?
>>
>> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <so...@gmail.com>
>> wrote:
>> > Hello All,
>> >
>> > just have tried to add CsrfPreventionRequestCycleListener to our
>> application
>> > everything seems to work except for Websockets :(
>> >
>> > Now I'm getting
>> >
>> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
>> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
>> > Possible CSRF attack, request URL:
>> > /openmeetings/wicket/websocket?pageId=1&wicket-
>> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
>> > Origin: null, action: aborted with error 400 Origin does not
>> > correspond to request
>> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
>> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
>> > response in WebSocket communication would not be processed by the
>> > browser! If you need to send the error code and message to the client
>> > then configure custom WebSocketResponse via
>> > WebSocketSettings#newWebSocketResponse() factory method and override
>> > #sendError() method to write them in an appropriate format for your
>> > application. The ignored error code is '400' and the message: 'Origin
>> > does not correspond to request'.
>> >
>> > in the logs ...
>> > What should I do to set Origin for Websockets?
>> >
>> > --
>> > WBR
>> > Maxim aka solomax
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Martin Grigorov <mg...@apache.org>.
Hi Maxim,
I don't use this combination.
But I will try to test it soon and see what can be done.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Fri, May 12, 2017 at 11:00 AM, Maxim Solodovnik <so...@gmail.com>
wrote:
> Does anybody uses this filter?
>
> On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <so...@gmail.com>
> wrote:
> > Hello All,
> >
> > just have tried to add CsrfPreventionRequestCycleListener to our
> application
> > everything seems to work except for Websockets :(
> >
> > Now I'm getting
> >
> > [INFO] [http-nio-0.0.0.0-5080-exec-9]
> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
> > Possible CSRF attack, request URL:
> > /openmeetings/wicket/websocket?pageId=1&wicket-
> ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> > Origin: null, action: aborted with error 400 Origin does not
> > correspond to request
> > [WARN] [http-nio-0.0.0.0-5080-exec-9]
> > org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
> > response in WebSocket communication would not be processed by the
> > browser! If you need to send the error code and message to the client
> > then configure custom WebSocketResponse via
> > WebSocketSettings#newWebSocketResponse() factory method and override
> > #sendError() method to write them in an appropriate format for your
> > application. The ignored error code is '400' and the message: 'Origin
> > does not correspond to request'.
> >
> > in the logs ...
> > What should I do to set Origin for Websockets?
> >
> > --
> > WBR
> > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: WebSockets and CsrfPreventionRequestCycleListener
Posted by Maxim Solodovnik <so...@gmail.com>.
Does anybody uses this filter?
On Thu, May 11, 2017 at 10:44 AM, Maxim Solodovnik <so...@gmail.com> wrote:
> Hello All,
>
> just have tried to add CsrfPreventionRequestCycleListener to our application
> everything seems to work except for Websockets :(
>
> Now I'm getting
>
> [INFO] [http-nio-0.0.0.0-5080-exec-9]
> org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
> Possible CSRF attack, request URL:
> /openmeetings/wicket/websocket?pageId=1&wicket-ajax-baseurl=&wicket-app-name=OpenmeetingsApplication,
> Origin: null, action: aborted with error 400 Origin does not
> correspond to request
> [WARN] [http-nio-0.0.0.0-5080-exec-9]
> org.apache.wicket.protocol.ws.api.WebSocketResponse - An HTTP error
> response in WebSocket communication would not be processed by the
> browser! If you need to send the error code and message to the client
> then configure custom WebSocketResponse via
> WebSocketSettings#newWebSocketResponse() factory method and override
> #sendError() method to write them in an appropriate format for your
> application. The ignored error code is '400' and the message: 'Origin
> does not correspond to request'.
>
> in the logs ...
> What should I do to set Origin for Websockets?
>
> --
> WBR
> Maxim aka solomax
--
WBR
Maxim aka solomax
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org