Clever Geek Handbook

Add CSRF protection header for ajax call to wicket

I am editing a webpage created with Apache Wicket. And we want to add some CSRF protection to the website. Wanting to keep it stateless, we want to use the dual presentation pattern.

For forms, we'll probably end up using a hidden field that will contain the csrf token.

But we also need to add this to some GET request made using AjaxFallbackLink, which also changes some data (I know it shouldn't be doing this, but I can't change it at this time). For this we are considering placing a CSRF token in a custom header that is sent with the request, but I have not seen any way to hook into the javascript method that the wicket uses (wicketAjaxGet apparently only has a precondition function and a channel function). Are there any suggestions on how I can do this?

Or would a token add a good option to the url? What would be the problems in this case compared to the setting in the header if we are using https transmission.

Or any other ideas on how we could add CSRF protection for these AJAX GET requests?

+3


source to share


2 answers


You can use 6.x (and 7.x) CsrfPreventionRequestCycleListener

which is packaged with Wicket

You install it in your application init method:



@Override protected void init() { // ... getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); // ... }

Then the Origin headers will be checked in all requests including AJAX. You need to set up the listener the way you want it to act, from which you want to allow, etc.

+3


source


If you are using Ajax components, the page will be saved.

If you are ok to have an http session, then the easiest way is to use the CryptoMapper (note: it has many improvements in Wicket 6.x!).



If you want the page to be inactive, you must use your own token - both the request header and the parameter. Check out wicketstuff-stateless for non-apathy Ajax components.

+2


source






More articles:


All Articles