org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener java code examples

Add the Codota plugin to your IDE and get smart completions

private void myMethod () {
 Gson g =new Gson()
GsonBuilder gsonBuilder;gsonBuilder.create()
new GsonBuilder().create()
Smart code suggestions by Tabnine
}

  @Override
  protected boolean isChecked(IRequestHandler handler)
  {
    if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) {
      return false;
    }
    return super.isChecked(handler);
  }
}

      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
if (isWhitelistedHost(sourceUri))
  whitelistedHandler(request, sourceUri, page);
  return;
if (!isLocalOrigin(request, sourceUri))
      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
  matchingOrigin(request, sourceUri, page);

/**
 * Checks whether the {@code Origin} HTTP header of the request matches where the request came
 * from.
 *
 * @param containerRequest
 *            the current container request
 * @param originHeader
 *            the contents of the {@code Origin} HTTP header
 * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header
 */
protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader)
{
  // Make comparable strings from Origin and Location
  String origin = normalizeUri(originHeader);
  if (origin == null)
    return false;
  String request = getTargetUriFromRequest(containerRequest);
  if (request == null)
    return false;
  return origin.equalsIgnoreCase(request);
}

@Override
public void init(WebApplication webApplication) {
  CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener();
  listener.setConflictingOriginAction(props.getConflictingOriginAction());
  listener.setErrorCode(props.getErrorCode());
  listener.setErrorMessage(props.getErrorMessage());
  listener.setNoOriginAction(props.getNoOriginAction());
  for (String acceptedOrigin : props.getAcceptedOrigins()) {
    listener.addAcceptedOrigin(acceptedOrigin);
  }
  webApplication.getRequestCycleListeners().add(listener);
  
  wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass())
      .withDetail("properties", props)
      .build());
}

@Override
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
  if (!isEnabled())
  handler = unwrap(handler);
  if (isChecked(handler))
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    String sourceUri = getSourceUri(containerRequest);
    if (isChecked(targetedPage))
      checkRequest(containerRequest, sourceUri, targetedPage);
            targetedPage.getClass().getName());
      allowHandler(containerRequest, sourceUri, targetedPage);

getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener());

@Override
public void onBeginRequest(RequestCycle cycle)
{
  if (log.isDebugEnabled())
  {
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    log.debug("Request Source URI: {}", getSourceUri(containerRequest));
  }
}

@Override
public void init(WebApplication webApplication) {
  CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener();
  listener.setConflictingOriginAction(props.getConflictingOriginAction());
  listener.setErrorCode(props.getErrorCode());
  listener.setErrorMessage(props.getErrorMessage());
  listener.setNoOriginAction(props.getNoOriginAction());
  for (String acceptedOrigin : props.getAcceptedOrigins()) {
    listener.addAcceptedOrigin(acceptedOrigin);
  }
  webApplication.getRequestCycleListeners().add(listener);
  
  wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass())
      .withDetail("properties", props)
      .build());
}

@Override
public void onRequestHandlerResolved(RequestCycle cycle, IRequestHandler handler)
  if (!isEnabled())
  handler = unwrap(handler);
  if (isChecked(handler))
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    String sourceUri = getSourceUri(containerRequest);
    if (isChecked(targetedPage))
      checkRequest(containerRequest, sourceUri, targetedPage);
            targetedPage.getClass().getName());
      allowHandler(containerRequest, sourceUri, targetedPage);

@Override
public void onBeginRequest(RequestCycle cycle)
{
  if (log.isDebugEnabled())
  {
    HttpServletRequest containerRequest = (HttpServletRequest)cycle.getRequest()
      .getContainerRequest();
    log.debug("Request Source URI: {}", getSourceUri(containerRequest));
  }
}

      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
if (isWhitelistedHost(sourceUri))
  whitelistedHandler(request, sourceUri, page);
  return;
if (!isLocalOrigin(request, sourceUri))
      allowHandler(request, sourceUri, page);
      break;
    case SUPPRESS :
      suppressHandler(request, sourceUri, page);
      break;
    case ABORT :
      abortHandler(request, sourceUri, page);
      break;
  matchingOrigin(request, sourceUri, page);

  @Override
  protected boolean isChecked(IRequestHandler handler)
  {
    if (handler instanceof WebSocketRequestHandler || handler instanceof WebSocketMessageBroadcastHandler) {
      return false;
    }
    return super.isChecked(handler);
  }
}

/**
 * Checks whether the {@code Origin} HTTP header of the request matches where the request came
 * from.
 *
 * @param containerRequest
 *            the current container request
 * @param originHeader
 *            the contents of the {@code Origin} HTTP header
 * @return {@code true} when the origin of the request matches the {@code Origin} HTTP header
 */
protected boolean isLocalOrigin(HttpServletRequest containerRequest, String originHeader)
{
  // Make comparable strings from Origin and Location
  String origin = normalizeUri(originHeader);
  if (origin == null)
    return false;
  String request = getTargetUriFromRequest(containerRequest);
  if (request == null)
    return false;
  return origin.equalsIgnoreCase(request);
}

Javadoc

Prevents CSRF attacks on Wicket components by checking the Origin and RefererHTTP headers for cross domain requests. By default only checks requests that try to perform an action on a component, such as a form submit, or link click.

Installation

You can enable this CSRF prevention filter by adding it to the request cycle listeners in your WebApplication#init():

 
@Override 
protected void init() 
{ 
// ... 
getRequestCycleListeners().add(new CsrfPreventionRequestCycleListener()); 
// ... 
}

Configuration

When the Origin or Referer HTTP header is present but doesn't match the requested URL this listener will by default throw a HTTP error ( 400 BAD REQUEST) and abort the request. You can #setConflictingOriginAction(CsrfAction) this specific action.

A missing Origin and Referer HTTP header is handled as if it were a bad request and rejected. You can #setNoOriginAction(CsrfAction) to a different value, suppressing or allowing the request when the HTTP headers are missing.

When the Origin HTTP header is present and has the value null it is considered to be from a "privacy-sensitive" context and will trigger the no origin action. You can customize what happens in those actions by overriding the respective onXXXX methods.

When you want to accept certain cross domain request from a range of hosts, you can #addAcceptedOrigin(String).

You can #isEnabled() this listener by overriding #isEnabled().

You can #isChecked(IRequestablePage) whether a particular page should be checked for CSRF requests. For example you can skip checking pages that have a @NoCsrfCheck annotation, or only those pages that extend your base secure page class. For example:

 
@Override 
protected boolean isChecked(IRequestablePage requestedPage) 
{ 
return requestedPage instanceof SecurePage; 
}

You can also tweak the request handlers that are checked. The CSRF prevention request cycle listener checks only action handlers, not render handlers. Override #isChecked(IRequestHandler) to customize this behavior.

You can customize the default actions that are performed by overriding the event handlers for them:

#onWhitelisted(HttpServletRequest,String,IRequestablePage) when an origin was whitelisted
#onMatchingOrigin(HttpServletRequest,String,IRequestablePage) when an origin was matching
#onAborted(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be aborted
#onAllowed(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be allowed
#onSuppressed(HttpServletRequest,String,IRequestablePage) when an origin was in conflict and the request should be suppressed

Most used methods

<init>
isChecked
Override to limit whether the request to the specific page should be checked for a possible CSRF att
abortHandler
Handles the case where an Origin HTTP header was not present or did not match the request origin, an
addAcceptedOrigin
Adds an origin (host name/domain name) to the white list. An origin is in the form of .<
allowHandler
Handles the case where an Origin HTTP header was not present or did not match the request origin, an
checkRequest
Performs the check of the Origin or Referer header that is targeted at the page.
getSourceUri
Resolves the source URI from the request headers ( Origin or Referer).
getTargetUriFromRequest
Creates a RFC-6454 comparable URI from the request requested resource.
isEnabled
Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a
isLocalOrigin
Checks whether the Origin HTTP header of the request matches where the request came from.
isWhitelistedHost
Checks whether the domain part of the sourceUri ( Origin or Refererheader) is whitelisted.
matchingOrigin
Handles the case where an origin was checked and matched the request origin. Default action is to al

Popular in Java

Finding current android device location
onCreateOptionsMenu (Activity)
notifyDataSetChanged (ArrayAdapter)
onRequestPermissionsResult (Fragment)
Map (java.util)
A Map is a data structure consisting of a set of keys and values in which each key is mapped to a si
PriorityQueue (java.util)
A PriorityQueue holds elements on a priority heap, which orders the elements according to their natu
ReentrantLock (java.util.concurrent.locks)
A reentrant mutual exclusion Lock with the same basic behavior and semantics as the implicit monitor
Collectors (java.util.stream)
Options (org.apache.commons.cli)
Main entry-point into the library. Options represents a collection of Option objects, which describ
Base64 (org.apache.commons.codec.binary)
Provides Base64 encoding and decoding as defined by RFC 2045.This class implements section 6.8. Base
PhpStorm for WordPress

How to useCsrfPreventionRequestCycleListener in org.apache.wicket.protocol.http

Best Java code snippets using org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener (Showing top 13 results out of 315)

How to use
CsrfPreventionRequestCycleListener
in
org.apache.wicket.protocol.http