Open tnodev opened 10 years ago
Hi,
No i haven't. Cant say if it will work out of the box.
Hi,
It doesn't work out of the box.
It's OK for all tapestry form (using t:form), but not working with a simple form as a login form used by tapestry-spring-security.
There is a component to include an hidden input with the csrf value
<input t:type="csrf/hidden"/>
But I can't check the value in the spring-security filters.
The trace :
java.lang.NullPointerException: Unable to delegate method invocation to property 'request' of <Proxy for RequestGlobals(org.apache.tapestry5.services.RequestGlobals)>, because the property is null.
at $Request_1ce08361bf2a.readProperty(Unknown Source)
at $Request_1ce08361bf2a.getSession(Unknown Source)
at $Request_1ce08361bee0.getSession(Unknown Source)
at org.apache.tapestry5.internal.services.SessionApplicationStatePersistenceStrategy.exists(SessionApplicationStatePersistenceStrategy.java:80)
at $ApplicationStatePersistenceStrategy_1ce08361c07b.exists(Unknown Source)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl$ApplicationStateAdapter.exists(ApplicationStateManagerImpl.java:60)
at org.apache.tapestry5.internal.services.ApplicationStateManagerImpl.getIfExists(ApplicationStateManagerImpl.java:140)
at $ApplicationStateManager_1ce08361bf33.getIfExists(Unknown Source)
at org.apache.tapestry5.csrfprotection.internal.SessionCsrfTokenRepository.loadToken(SessionCsrfTokenRepository.java:39)
at $CsrfTokenRepository_1ce08361c079.loadToken(Unknown Source)
at $CsrfTokenRepository_1ce08361beff.loadToken(Unknown Source)
at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.checkToken(GemwebCsrfAuthenticationProcessingFilter.java:40)
at org.atlog.mjweb.services.user.GemwebCsrfAuthenticationProcessingFilter.attemptAuthentication(GemwebCsrfAuthenticationProcessingFilter.java:35)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at nu.localhost.tapestry5.springsecurity.services.internal.HttpServletRequestFilterWrapper.service(HttpServletRequestFilterWrapper.java:52)
...
Hello, Did you try to use tapestry-csrf-protection with Tapestry-Spring-Security ?
Cheers, Thomas