Kari Sarsila
Reputation: 252
Apache Wicket 9.1 CSRF
I'm trying to understand the Apache Wicket 9.1 documentation what comes to CSRF protection. https://ci.apache.org/projects/wicket/guide/9.x/single.html#_csrf_protection
I'm not totally sure if the CSRF protection is enabled by default for actions? Or, does that require that I will introduce a ResourceIsolationRequestCycleLister in my WicketApplication and only after that the actions are CSRF protected?
@Override
protected void init() {
super.init();
getRequestCycleListeners().add(new ResourceIsolationRequestCycleListener());
// ...
}
Upvotes: 2
Views: 845
Answers (1)
Andrea Del Bene
Reputation: 2511
the later part is true, i.e. only after introducing ResourceIsolationRequestCycleLister in your application the actions are CSRF protected while page request are not checked.
Upvotes: 3
Related Questions
- apache wicket 9 authentication 2 example issue
- Wicket + websocket page not refreshing because CSRF attack
- Apache Wicket 9.1 CSRF enabled, FormTester submits blocked by resource isolation policy
- Apache reverse proxy and Wicket CsrfPreventionRequestCycleListener
- Apache Wicket - Forms
- Add CSRF protection header to wicket ajax call
- Apache wicket validation
- Wicket form ajax
- Apache Wicket and Ajax PUSH
- Wicket security against forged requests