/** * Checks the cross site request forgery token (as posted hidden field) and if it doesn't match an exception is * thrown. * * @see org.apache.wicket.markup.html.form.Form#onSubmit() */ public void onSubmit() { final String sessionCsrfToken = getCsrfSessionToken(); if (StringUtils.equals(sessionCsrfToken, csrfToken) == false) { log.error("Cross site request forgery alert. csrf token doesn't match! session csrf token=" + sessionCsrfToken + ", posted csrf token=" + csrfToken); throw new InternalErrorException("errorpage.csrfError"); } } }
/** * The given form should contain a hidden field named 'csrfToken'. * * @param form */ public CsrfTokenHandler(final Form<?> form) { csrfToken = getCsrfSessionToken(); form.add(new HiddenField<String>("csrfToken", new PropertyModel<String>(this, "csrfToken"))); }