Hi Sokun, any updates on this? On Jun 2, 8:28 pm, Gauthier Segay <[email protected]> wrote: > Hi John (not Simons sorry!) > > My problem with action level filter might be because I've tried to use > them in the past and wasn't able to make them work, I will check soon > on a project where I use filters (at controller level ATM) and get > back if the issue is still there. > > Also, this thread is probably what stuck in my mind the idea that > action level filters are not there: > > http://groups.google.com/group/castle-project-users/browse_frm/thread... > > I agree with the idea to embed the token hidden field on Form.FormTag > > On May 31, 11:39 pm, John Simons <[email protected]> wrote: > > > > > > > > > Gauthie, > > Action level filters work fine in Monorail actions. What problems are you > > having? > > > Sokun, > > Regarding $FormHelper.ForgeryToken(), I actually don't think we need this. > > You can use the form parameters to configure it and then write a hidden tag > > as part of rendering the form tag. > > Eg. > > $Form.FormTag("%{ controller='myController', action='myAction', > > useAntiForgeryToken='true', antiForgeryTokenSalt='$^DF2x' }") > > and this would output: > > > <form action="/myController/myAction" method="post"> > > <input name="__RequestVerificationToken" type="hidden" > > value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZpArs" /> > > > What do u think? > > > Cheers > > John > > > ________________________________ > > From: Gauthier Segay <[email protected]> > > To: Castle Project Development List <[email protected]> > > Sent: Mon, 31 May, 2010 7:58:15 AM > > Subject: Re: Implementing AntiForgeryValidatorFilter > > > Hi Simon and Sokun, > > > > How come you apply the attribute to the Controller? > > > I think we are lacking action level filter, they only work at > > controller level at the moment in monorail > > > > My thoughts on this, try to copy has much from the MS implementation as > > > possible (no point reinventing the wheel). > > > +1, we should even try to leverage the classes that don't interact > > directly with the abstract HttpContext or mvc internals, but > > unfortunately System.Web.Mvc.AntiForgeryData is internal sealed :( > > > > ${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken() > > > +1, I would name it $FormHelper.ForgeryTokenField or > > $FormHelper.ForgeryTokenHiddenField unless it's just the token value > > to be more explicit > > > On 30 mai, 06:00, "c.sokun" <[email protected]> wrote: > > > > Thanks Simon, > > > > I will adapt MS implementation in a few area like generating and > > > serialize token string into cookie. > > > I also like this idea $FormHelper.ForgeryToken() except that I would > > > have to touch existing code but I add it as and alternative option of $ > > > {XssHiddenField} > > > > Will update you on the progress soon. > > > > Thanks, > > > Sokun > > > > On May 30, 8:18 am, John Simons <[email protected]> wrote: > > > > > Hi Sokun, > > > > > Good specs :) > > > > How come you apply the attribute to the Controller?d > > > > I thought you would apply the attribute to the individual Actions, at > > > > least that is what MS has done in ASP.MVC. > > > > > My thoughts on this, try to copy has much from the MS implementation as > > > > possible (no point reinventing the wheel). > > > > > ${XssHiddenField} should be a helper eg. $FormHelper.ForgeryToken() > > > > > Cheers > > > > John > > > > > ________________________________ > > > > From: c.sokun <[email protected]> > > > > To: Castle Project Development List > > > > <[email protected]> > > > > Sent: Sun, 30 May, 2010 1:31:46 AM > > > > Subject: Implementing AntiForgeryValidatorFilter > > > > > I am current working on AntiForgeryValidatorFilter for MonoRail but > > > > before I start coding I want to have your feedback on the usage and > > > > implementation direction. > > > > > Usage: > > > > 1. At the server side code > > > > > [AntiForgeryValidatorFilter()] > > > > public class HomeController: SmartDispatcherController { > > > > public void Index(){ > > > > > } > > > > > } > > > > > 2. View Template > > > > <form method="POST" action="...."> > > > > ${XssHiddenField} > > > > </form> > > > > > Implementation: > > > > > - The Filter only work for POST > > > > - The Filter will automatically setup AntiForgery Cookie if it doesn't > > > > exist (in encrypted form) > > > > - The Filter will regenerate & store new toke value in Cookie after > > > > successful POST. (not sure if this practical?) > > > > - The Filter will create and store two string value in PropertyBag, > > > > a, XssHiddenField // <input type='hidden' value='tokenString' /> > > > > b, XssTokenString // raw token string which usual for crafting > > > > $.ajax $.post etc > > > > - more configuration features > > > > > I think the usage is quiet simple and easily integrate into existing > > > > app; now the challenge is > > > > - The Filter will automatically setup AntiForgery Cookie if it doesn't > > > > exist (in encrypted form) > > > > - The Filter will regenerate & store new toke value in Cookie after > > > > successful POST. (not sure if this practical?) > > > > am I going into the right direction? > > > > > Thanks, > > > > Sokun > > > > > -- > > > > You received this message because you are subscribed to the Google > > > > Groups "Castle Project Development List" group. > > > > To post to this group, send email to > > > > [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]. > > > > For more options, visit this group > > > > athttp://groups.google.com/group/castle-project-devel?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Castle Project Development List" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/castle-project-devel?hl=en.
-- You received this message because you are subscribed to the Google Groups "Castle Project Development List" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/castle-project-devel?hl=en.
