[jira] [Created] (WICKET-4107) StatelessForm resubmitting via GET

Tue, 04 Oct 2011 17:16:00 -0700 

StatelessForm resubmitting via GET
----------------------------------

                 Key: WICKET-4107
                 URL: https://issues.apache.org/jira/browse/WICKET-4107
             Project: Wicket
          Issue Type: Bug
          Components: wicket
            Reporter: Chris Hansen
            Assignee: Johan Compagner


I have a stateless login page for the application (using 
HybridUrlCodingStrategy):

   url_1 = http://localhost/login

When I press the login button of the username + password form the form data 
will be sent using HTTP POST:

  url_2 = 
http://localhost/login/wicket:interface/%3A0%3AnavigationContrib%3Aform%3A%3AIFormSubmitListener%3A%3A/

Unfortunately, if somebody bookmarks url_2 (which is stupid as we java dudes 
all know, but it _will_ happen because average users don't know better) the 
form submit listener will be invoked using HTTP GET and having no form 
parameters. *imho* bookmarks should be possible in a professional application 
at all time.

This, of course, will result in an ugly error message and unexpected 
application behavior and empty form fields and stuff. That's *btw* why I 
declare this request a bug and not a feature / enhancement.

I think it would be cool to have Form#onInvalidSubmit() to handle this kind of 
stuff (it won't happen on stateful pages with redirect after post enabled). So, 
for example, the application could just reload to the login page.

detection is easy... here my suggestion:

------------------------------------------------------
class org.apache.wicket.markup.html.form.Form:

public final void onFormSubmitted()  // line 746
{
    final String method = ((WebRequest) 
getRequest()).getHttpServletRequest().getMethod();

    if (method.equalsIgnoreCase(this.getMethod()) == false)
      this.onInvalidSubmit();

    // ...
}

// override (optional)
protected onInvalidSubmit() {}

------------------------------

in my case I would just do this:

@Override
protected onInvalidSubmit()
{
  this.setRedirect(true);
  throw new RestartResponseException(getPage().getClass());
}

This would probably be a good default behavior for StatelessForm....

I consider this change useful enough to be part of wicket core.

What you guys think?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to