Hi Sokun,
Good specs :)
How come you apply the attribute to the Controller?
I thought you would apply the attribute to the individual Actions, at least
that is what MS has done in ASP.MVC.
My thoughts on this, try to copy has much from the MS implementation as
possible (no point reinventing the wheel).
${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken()
Cheers
John
________________________________
From: c.sokun <[email protected]>
To: Castle Project Development List <[email protected]>
Sent: Sun, 30 May, 2010 1:31:46 AM
Subject: Implementing AntiForgeryValidatorFilter
I am current working on AntiForgeryValidatorFilter for MonoRail but
before I start coding I want to have your feedback on the usage and
implementation direction.
Usage:
1. At the server side code
[AntiForgeryValidatorFilter()]
public class HomeController: SmartDispatcherController {
public void Index(){
}
}
2. View Template
<form method="POST" action="....">
${XssHiddenField}
</form>
Implementation:
- The Filter only work for POST
- The Filter will automatically setup AntiForgery Cookie if it doesn't
exist (in encrypted form)
- The Filter will regenerate & store new toke value in Cookie after
successful POST. (not sure if this practical?)
- The Filter will create and store two string value in PropertyBag,
a, XssHiddenField // <input type='hidden' value='tokenString' />
b, XssTokenString // raw token string which usual for crafting
$.ajax $.post etc
- more configuration features
I think the usage is quiet simple and easily integrate into existing
app; now the challenge is
- The Filter will automatically setup AntiForgery Cookie if it doesn't
exist (in encrypted form)
- The Filter will regenerate & store new toke value in Cookie after
successful POST. (not sure if this practical?)
am I going into the right direction?
Thanks,
Sokun
--
You received this message because you are subscribed to the Google Groups
"Castle Project Development List" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/castle-project-devel?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Castle Project Development List" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/castle-project-devel?hl=en.
