search

antalk / Tapestry-Spring-Security

A Tapestry 5.3.x spring based security library
11 stars 6 forks source link

tapestry-csrf-protection with Tapestry-Spring-Security #12

Open tnodev opened 10 years ago

tnodev commented 10 years ago

Hello, Did you try to use tapestry-csrf-protection with Tapestry-Spring-Security ?

Cheers, Thomas

antalk commented 10 years ago

Hi,

No i haven't. Cant say if it will work out of the box.

tnodev commented 10 years ago

Hi,

It doesn't work out of the box.

It's OK for all tapestry form (using t:form), but not working with a simple form as a login form used by tapestry-spring-security.

There is a component to include an hidden input with the csrf value

<input t:type="csrf/hidden"/>

But I can't check the value in the spring-security filters.

The trace : 

java.lang.NullPointerException: Unable to delegate method invocation to property 'request' of <Proxy for RequestGlobals(org.apache.tapestry5.services.RequestGlobals)>, because the property is null.
    at $Request_1ce08361bf2a.readProperty(Unknown Source)
    at $Request_1ce08361bf2a.getSession(Unknown Source)
    at $Request_1ce08361bee0.getSession(Unknown Source)
    at org.apache.tapestry5.internal.services.SessionApplicationStatePersistenceStrategy.exists(SessionApplicationStatePersistenceStrategy.java:80)
    at $ApplicationStatePersistenceStrategy_1ce08361c07b.exists(Unknown Source)
    at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl$ApplicationStateAdapter.exists(ApplicationStateManagerImpl.java:60)
    at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl.getIfExists(ApplicationStateManagerImpl.java:140)
    at $ApplicationStateManager_1ce08361bf33.getIfExists(Unknown Source)
    at org.apache.tapestry5.csrfprotection.internal.SessionCsrfTokenRepository.loadToken(SessionCsrfTokenRepository.java:39)
    at $CsrfTokenRepository_1ce08361c079.loadToken(Unknown Source)
    at $CsrfTokenRepository_1ce08361beff.loadToken(Unknown Source)
    at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.checkToken(GemwebCsrfAuthenticationProcessingFilter.java:40)
    at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.attemptAuthentication(GemwebCsrfAuthenticationProcessingFilter.java:35)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
    at nu.localhost.tapestry5.springsecurity.services.internal.HttpServletRequestFilterWrapper.service(HttpServletRequestFilterWrapper.java:52)
...