From 9920fa5718fa3b99e65a100954260d5b4963e395 Mon Sep 17 00:00:00 2001 From: marcgiffing Date: Mon, 11 Feb 2019 21:39:21 +0100 Subject: [PATCH] #56 problem with websocket and csrf prevention --- .../src/main/resources/application.yml | 3 + .../csrf/CsrfAttacksPreventionConfig.java | 117 +++++++++--------- 2 files changed, 62 insertions(+), 58 deletions(-) diff --git a/wicket-spring-boot-starter-example/src/main/resources/application.yml b/wicket-spring-boot-starter-example/src/main/resources/application.yml index cc18adf7..5c461724 100644 --- a/wicket-spring-boot-starter-example/src/main/resources/application.yml +++ b/wicket-spring-boot-starter-example/src/main/resources/application.yml @@ -8,6 +8,9 @@ wicket: packageresourceguard: pattern: - +*.map + csrf: + accepted-origins: + - localhost management: endpoints: web: diff --git a/wicket-spring-boot-starter/src/main/java/com/giffing/wicket/spring/boot/starter/configuration/extensions/core/csrf/CsrfAttacksPreventionConfig.java b/wicket-spring-boot-starter/src/main/java/com/giffing/wicket/spring/boot/starter/configuration/extensions/core/csrf/CsrfAttacksPreventionConfig.java index 387719ca..42aa4f51 100644 --- a/wicket-spring-boot-starter/src/main/java/com/giffing/wicket/spring/boot/starter/configuration/extensions/core/csrf/CsrfAttacksPreventionConfig.java +++ b/wicket-spring-boot-starter/src/main/java/com/giffing/wicket/spring/boot/starter/configuration/extensions/core/csrf/CsrfAttacksPreventionConfig.java @@ -1,58 +1,59 @@ -package com.giffing.wicket.spring.boot.starter.configuration.extensions.core.csrf; - -import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener; -import org.apache.wicket.protocol.http.WebApplication; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; -import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; -import org.springframework.boot.context.properties.EnableConfigurationProperties; - -import com.giffing.wicket.spring.boot.context.extensions.ApplicationInitExtension; -import com.giffing.wicket.spring.boot.context.extensions.WicketApplicationInitConfiguration; -import com.giffing.wicket.spring.boot.context.extensions.boot.actuator.WicketAutoConfig; -import com.giffing.wicket.spring.boot.context.extensions.boot.actuator.WicketEndpointRepository; - - -/** - * Enables CSRF protection if the following condition matches. - * - * 1. The {@link CsrfPreventionRequestCycleListener} class is in the classpath. - * - * 2. The property {@link CsrfAttacksPreventionProperties#PROPERTY_PREFIX}.enabled has to be true (default = true) - * - * The protection should be enabled by default cause the {@link CsrfPreventionRequestCycleListener} is located - * in Wickets core project. - * - * @author Marc Giffing - * - */ -@ApplicationInitExtension -@ConditionalOnProperty(prefix = CsrfAttacksPreventionProperties.PROPERTY_PREFIX, value = "enabled", matchIfMissing = true) -@ConditionalOnClass(value = org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.class) -@EnableConfigurationProperties({ CsrfAttacksPreventionProperties.class }) -public class CsrfAttacksPreventionConfig implements WicketApplicationInitConfiguration{ - - @Autowired - private CsrfAttacksPreventionProperties props; - - @Autowired - private WicketEndpointRepository wicketEndpointRepository; - - @Override - public void init(WebApplication webApplication) { - CsrfPreventionRequestCycleListener listener = new CsrfPreventionRequestCycleListener(); - listener.setConflictingOriginAction(props.getConflictingOriginAction()); - listener.setErrorCode(props.getErrorCode()); - listener.setErrorMessage(props.getErrorMessage()); - listener.setNoOriginAction(props.getNoOriginAction()); - for (String acceptedOrigin : props.getAcceptedOrigins()) { - listener.addAcceptedOrigin(acceptedOrigin); - } - webApplication.getRequestCycleListeners().add(listener); - - wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass()) - .withDetail("properties", props) - .build()); - } - -} +package com.giffing.wicket.spring.boot.starter.configuration.extensions.core.csrf; + +import org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener; +import org.apache.wicket.protocol.http.WebApplication; +import org.apache.wicket.protocol.ws.WebSocketAwareCsrfPreventionRequestCycleListener; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.context.properties.EnableConfigurationProperties; + +import com.giffing.wicket.spring.boot.context.extensions.ApplicationInitExtension; +import com.giffing.wicket.spring.boot.context.extensions.WicketApplicationInitConfiguration; +import com.giffing.wicket.spring.boot.context.extensions.boot.actuator.WicketAutoConfig; +import com.giffing.wicket.spring.boot.context.extensions.boot.actuator.WicketEndpointRepository; + + +/** + * Enables CSRF protection if the following condition matches. + * + * 1. The {@link CsrfPreventionRequestCycleListener} class is in the classpath. + * + * 2. The property {@link CsrfAttacksPreventionProperties#PROPERTY_PREFIX}.enabled has to be true (default = true) + * + * The protection should be enabled by default cause the {@link CsrfPreventionRequestCycleListener} is located + * in Wickets core project. + * + * @author Marc Giffing + * + */ +@ApplicationInitExtension +@ConditionalOnProperty(prefix = CsrfAttacksPreventionProperties.PROPERTY_PREFIX, value = "enabled", matchIfMissing = true) +@ConditionalOnClass(value = WebSocketAwareCsrfPreventionRequestCycleListener.class) +@EnableConfigurationProperties({ CsrfAttacksPreventionProperties.class }) +public class CsrfAttacksPreventionConfig implements WicketApplicationInitConfiguration{ + + @Autowired + private CsrfAttacksPreventionProperties props; + + @Autowired + private WicketEndpointRepository wicketEndpointRepository; + + @Override + public void init(WebApplication webApplication) { + WebSocketAwareCsrfPreventionRequestCycleListener listener = new WebSocketAwareCsrfPreventionRequestCycleListener(); + listener.setConflictingOriginAction(props.getConflictingOriginAction()); + listener.setErrorCode(props.getErrorCode()); + listener.setErrorMessage(props.getErrorMessage()); + listener.setNoOriginAction(props.getNoOriginAction()); + for (String acceptedOrigin : props.getAcceptedOrigins()) { + listener.addAcceptedOrigin(acceptedOrigin); + } + webApplication.getRequestCycleListeners().add(listener); + + wicketEndpointRepository.add(new WicketAutoConfig.Builder(this.getClass()) + .withDetail("properties", props) + .build()); + } + +}