Donnerstag, 30. Juni 2011

Tapestry 5.3.0 + Chenillekit + Jumpstart

In order to test my CSRF protection I want to use Jumpstart as testcase. This requires an update of the Chenillekit and Jumpstart to work with Apache Tapestry 5.3.0.

Chenillekit update:
The required modifications in the source code are quite easy. I was able to make a compatible build and  deployed it to my Google Summer of Code maven repository. This is just an interim solution until an official Chenillekit update has happend.

Jumpstart update:
  • Libraries: The Tapestry and Chenillekit libraries in the web/src/main/lib-compile and web/src/main/lib-runtime have to be updated.
  • Code: The AppModule contributeValidateMessagesSource method has to be renamed to contributeComponentMessagesSource
That's it.

Update:
[TAP5-1440] - Remove "validateForm" event triggered by Form component (replaced with "validate" event) --> onValidateForm method needs to be renamed!






Eingestellt von Markus um 03:49 3 Kommentare

Sonntag, 5. Juni 2011

Protecting AJAX requests

So far the insert of an Anti-CSRF token works for every type of component. The token check can either be inserted by using the @Protected annotation at a page or on an event handling method. A problem with the redirect-after-post approach is that the following GET request after a form POST cannot be enhanced with an Anti-CSRF token. I will try to solve this problem later, next task is to protect Ajax based requests.








Eingestellt von Markus um 01:56 0 Kommentare

Samstag, 4. Juni 2011

Fine grained protection mechanism

I changed the design of the fine grained protection mechanism. The insertCSRFToken method and logic is moved to the components, by using AOP techniques. A class transformation inserts component specific methods for the internal Tapestry components, which rely on the specific components. Additionally a generic XPath insertCSRFToken can be used for any kind of component. The mixin is then quite easy and calls the insertCSRFToken method. To make this possible all modified components implement the CSRFProtectable interface.


The demonstration app contains now also a BeanEditForm, that introduces some new problems. The @Protected annotation needs to work also on page level, because on components used in templates it is not possible to add an annotation in the event handler.

Eingestellt von Markus um 00:38 0 Kommentare
Abonnieren Posts (Atom)