congrats Icon
New! Tabnine Pro 14-day free trial
Start a free trial
Tabnine Logo
CsrfPreventionRequestCycleListener
Code IndexAdd Tabnine to your IDE (free)

How to use
CsrfPreventionRequestCycleListener
in
org.apache.wicket.protocol.http

Best Java code snippets using org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener (Showing top 13 results out of 315)

origin: apache/wicket

  @Override
  protected boolean isChecked(IRequestHandler handler)
  {
    if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) {
      return false;
    }
    return super.isChecked(handler);
  }
}
origin: org.apache.wicket/wicket-core

      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
if (isWhitelistedHost(sourceUri))
  whitelistedHandler(request, sourceUri, page);
  return;
if (!isLocalOrigin(request, sourceUri))
      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
  matchingOrigin(request, sourceUri, page);
origin: org.apache.wicket/wicket-core

/**
 * Checks whether the {@code Origin} HTTP header of the request matches where the request came
 * from.
 *
 * @param containerRequest
 *            the current container request
 * @param originHeader
 *            the contents of the {@code Origin} HTTP header
 * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header
 */
protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader)
{
  // Make comparable strings from Origin and Location
  String origin = normalizeUri(originHeader);
  if (origin == null)
    return false;
  String request = getTargetUriFromRequest(containerRequest);
  if (request == null)
    return false;
  return origin.equalsIgnoreCase(request);
}
origin: com.giffing.wicket.spring.boot.starter/wicket-spring-boot-starter

@Override
public void init(WebApplication webApplication) {
  CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener();
  listener.setConflictingOriginAction(props.getConflictingOriginAction());
  listener.setErrorCode(props.getErrorCode());
  listener.setErrorMessage(props.getErrorMessage());
  listener.setNoOriginAction(props.getNoOriginAction());
  for (String acceptedOrigin : props.getAcceptedOrigins()) {
    listener.addAcceptedOrigin(acceptedOrigin);
  }
  webApplication.getRequestCycleListeners().add(listener);
  
  wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass())
      .withDetail("properties", props)
      .build());
}
origin: org.apache.wicket/wicket-core

@Override
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
  if (!isEnabled())
  handler = unwrap(handler);
  if (isChecked(handler))
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    String sourceUri = getSourceUri(containerRequest);
    if (isChecked(targetedPage))
      checkRequest(containerRequest, sourceUri, targetedPage);
            targetedPage.getClass().getName());
      allowHandler(containerRequest, sourceUri, targetedPage);
origin: apache/syncope

getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener());
origin: apache/wicket

@Override
public void onBeginRequest(RequestCycle cycle)
{
  if (log.isDebugEnabled())
  {
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    log.debug("Request Source URI: {}", getSourceUri(containerRequest));
  }
}
origin: MarcGiffing/wicket-spring-boot

@Override
public void init(WebApplication webApplication) {
  CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener();
  listener.setConflictingOriginAction(props.getConflictingOriginAction());
  listener.setErrorCode(props.getErrorCode());
  listener.setErrorMessage(props.getErrorMessage());
  listener.setNoOriginAction(props.getNoOriginAction());
  for (String acceptedOrigin : props.getAcceptedOrigins()) {
    listener.addAcceptedOrigin(acceptedOrigin);
  }
  webApplication.getRequestCycleListeners().add(listener);
  
  wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass())
      .withDetail("properties", props)
      .build());
}
origin: apache/wicket

@Override
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
  if (!isEnabled())
  handler = unwrap(handler);
  if (isChecked(handler))
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    String sourceUri = getSourceUri(containerRequest);
    if (isChecked(targetedPage))
      checkRequest(containerRequest, sourceUri, targetedPage);
            targetedPage.getClass().getName());
      allowHandler(containerRequest, sourceUri, targetedPage);
origin: org.apache.wicket/wicket-core

@Override
public void onBeginRequest(RequestCycle cycle)
{
  if (log.isDebugEnabled())
  {
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    log.debug("Request Source URI: {}", getSourceUri(containerRequest));
  }
}
origin: apache/wicket

      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
if (isWhitelistedHost(sourceUri))
  whitelistedHandler(request, sourceUri, page);
  return;
if (!isLocalOrigin(request, sourceUri))
      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
  matchingOrigin(request, sourceUri, page);
origin: org.apache.wicket/wicket-native-websocket-core

  @Override
  protected boolean isChecked(IRequestHandler handler)
  {
    if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) {
      return false;
    }
    return super.isChecked(handler);
  }
}
origin: apache/wicket

/**
 * Checks whether the {@code Origin} HTTP header of the request matches where the request came
 * from.
 *
 * @param containerRequest
 *            the current container request
 * @param originHeader
 *            the contents of the {@code Origin} HTTP header
 * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header
 */
protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader)
{
  // Make comparable strings from Origin and Location
  String origin = normalizeUri(originHeader);
  if (origin == null)
    return false;
  String request = getTargetUriFromRequest(containerRequest);
  if (request == null)
    return false;
  return origin.equalsIgnoreCase(request);
}
org.apache.wicket.protocol.httpCsrfPreventionRequestCycleListener

Javadoc

Prevents CSRF attacks on Wicket components by checking the Origin and RefererHTTP headers for cross domain requests. By default only checks requests that try to perform an action on a component, such as a form submit, or link click.

Installation

You can enable this CSRF prevention filter by adding it to the request cycle listeners in your WebApplication#init(): 

 
@Override 
protected void init() 
{ 
// ... 
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); 
// ... 
}

Configuration

When the Origin or Referer HTTP header is present but doesn't match the requested URL this listener will by default throw a HTTP error ( 400 BAD REQUEST) and abort the request. You can #setConflictingOriginAction(CsrfAction) this specific action.

A missing Origin and Referer HTTP header is handled as if it were a bad request and rejected. You can #setNoOriginAction(CsrfAction) to a different value, suppressing or allowing the request when the HTTP headers are missing.

When the Origin HTTP header is present and has the value null it is considered to be from a "privacy-sensitive" context and will trigger the no origin action. You can customize what happens in those actions by overriding the respective onXXXX methods.

When you want to accept certain cross domain request from a range of hosts, you can #addAcceptedOrigin(String).

You can #isEnabled() this listener by overriding #isEnabled().

You can #isChecked(IRequestablePage) whether a particular page should be checked for CSRF requests. For example you can skip checking pages that have a @NoCsrfCheck annotation, or only those pages that extend your base secure page class. For example: 

 
@Override 
protected boolean isChecked(IRequestablePage requestedPage) 
{ 
return requestedPage instanceof SecurePage; 
}

You can also tweak the request handlers that are checked. The CSRF prevention request cycle listener checks only action handlers, not render handlers. Override #isChecked(IRequestHandler) to customize this behavior.

You can customize the default actions that are performed by overriding the event handlers for them:

  • #onWhitelisted(HttpServletRequest,String,IRequestablePage) when an origin was whitelisted
  • #onMatchingOrigin(HttpServletRequest,String,IRequestablePage) when an origin was matching
  • #onAborted(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be aborted
  • #onAllowed(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be allowed
  • #onSuppressed(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be suppressed

Most used methods

  • <init>
  • isChecked
    Override to limit whether the request to the specific page should be checked for a possible CSRF att
  • abortHandler
    Handles the case where an Origin HTTP header was not present or did not match the request origin, an
  • addAcceptedOrigin
    Adds an origin (host name/domain name) to the white list. An origin is in the form of .<
  • allowHandler
    Handles the case where an Origin HTTP header was not present or did not match the request origin, an
  • checkRequest
    Performs the check of the Origin or Referer header that is targeted at the page.
  • getSourceUri
    Resolves the source URI from the request headers ( Origin or Referer).
  • getTargetUriFromRequest
    Creates a RFC-6454 comparable URI from the request requested resource.
  • isEnabled
    Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a
  • isLocalOrigin
    Checks whether the Origin HTTP header of the request matches where the request came from.
  • isWhitelistedHost
    Checks whether the domain part of the sourceUri ( Origin or Refererheader) is whitelisted.
  • matchingOrigin
    Handles the case where an origin was checked and matched the request origin. Default action is to al
  • isWhitelistedHost,
  • matchingOrigin,
  • normalizeUri,
  • onAborted,
  • onAllowed,
  • onMatchingOrigin,
  • onSuppressed,
  • onWhitelisted,
  • setConflictingOriginAction,
  • setErrorCode

Popular in Java

  • Updating database using SQL prepared statement
  • getApplicationContext (Context)
  • getSharedPreferences (Context)
  • orElseThrow (Optional)
    Return the contained value, if present, otherwise throw an exception to be created by the provided s
  • MalformedURLException (java.net)
    This exception is thrown when a program attempts to create an URL from an incorrect specification.
  • Charset (java.nio.charset)
    A charset is a named mapping between Unicode characters and byte sequences. Every Charset can decode
  • Timer (java.util)
    Timers schedule one-shot or recurring TimerTask for execution. Prefer java.util.concurrent.Scheduled
  • Cipher (javax.crypto)
    This class provides access to implementations of cryptographic ciphers for encryption and decryption
  • JFrame (javax.swing)
  • Option (scala)
  • PhpStorm for WordPress
Tabnine Logo

  • Products

    Search for Java codeSearch for JavaScript code

  • IDE Plugins

    IntelliJ IDEAWebStormVisual StudioAndroid StudioEclipseVisual Studio CodePyCharmSublime TextPhpStormVimAtomGoLandRubyMineEmacsJupyter NotebookJupyter LabRiderDataGripAppCode

  • Company

    About UsContact UsCareers

  • Resources

    FAQBlogTabnine AcademyStudentsTerms of usePrivacy policyJava Code IndexJavascript Code Index
Get Tabnine for your IDE now