Hi Simon and Sokun,
> How come you apply the attribute to the Controller?
I think we are lacking action level filter, they only work at
controller level at the moment in monorail
> My thoughts on this, try to copy has much from the MS implementation as
> possible (no point reinventing the wheel).
+1, we should even try to leverage the classes that don't interact
directly with the abstract HttpContext or mvc internals, but
unfortunately System.Web.Mvc.AntiForgeryData is internal sealed :(
> ${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken()
+1, I would name it $FormHelper.ForgeryTokenField or
$FormHelper.ForgeryTokenHiddenField unless it's just the token value
to be more explicit
On 30 mai, 06:00, "c.sokun" <[email protected]> wrote:
> Thanks Simon,
>
> I will adapt MS implementation in a few area like generating and
> serialize token string into cookie.
> I also like this idea $FormHelper.ForgeryToken() except that I would
> have to touch existing code but I add it as and alternative option of $
> {XssHiddenField}
>
> Will update you on the progress soon.
>
> Thanks,
> Sokun
>
> On May 30, 8:18 am, John Simons <[email protected]> wrote:
>
>
>
> > Hi Sokun,
>
> > Good specs :)
> > How come you apply the attribute to the Controller?d
> > I thought you would apply the attribute to the individual Actions, at least
> > that is what MS has done in ASP.MVC.
>
> > My thoughts on this, try to copy has much from the MS implementation as
> > possible (no point reinventing the wheel).
>
> > ${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken()
>
> > Cheers
> > John
>
> > ________________________________
> > From: c.sokun <[email protected]>
> > To: Castle Project Development List <[email protected]>
> > Sent: Sun, 30 May, 2010 1:31:46 AM
> > Subject: Implementing AntiForgeryValidatorFilter
>
> > I am current working on AntiForgeryValidatorFilter for MonoRail but
> > before I start coding I want to have your feedback on the usage and
> > implementation direction.
>
> > Usage:
> > 1. At the server side code
>
> > [AntiForgeryValidatorFilter()]
> > public class HomeController: SmartDispatcherController {
> > public void Index(){
>
> > }
>
> > }
>
> > 2. View Template
> > <form method="POST" action="....">
> > ${XssHiddenField}
> > </form>
>
> > Implementation:
>
> > - The Filter only work for POST
> > - The Filter will automatically setup AntiForgery Cookie if it doesn't
> > exist (in encrypted form)
> > - The Filter will regenerate & store new toke value in Cookie after
> > successful POST. (not sure if this practical?)
> > - The Filter will create and store two string value in PropertyBag,
> > a, XssHiddenField // <input type='hidden' value='tokenString' />
> > b, XssTokenString // raw token string which usual for crafting
> > $.ajax $.post etc
> > - more configuration features
>
> > I think the usage is quiet simple and easily integrate into existing
> > app; now the challenge is
> > - The Filter will automatically setup AntiForgery Cookie if it doesn't
> > exist (in encrypted form)
> > - The Filter will regenerate & store new toke value in Cookie after
> > successful POST. (not sure if this practical?)
> > am I going into the right direction?
>
> > Thanks,
> > Sokun
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Castle Project Development List" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to
> > [email protected].
> > For more options, visit this group
> > athttp://groups.google.com/group/castle-project-devel?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Castle Project Development List" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/castle-project-devel?hl=en.
