[
https://issues.apache.org/jira/browse/WICKET-4107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Hansen updated WICKET-4107:
---------------------------------
Description:
After a StatelessForm is submitted, the user is redirected to a new URI. If
the user does an HTTP GET to this same URI, the form is resubmitted with all
blank values (see examples below). This seems to happen regardless of the
RenderStrategy being used or the form's method (i.e. POST), and it happens in
recent versions of 1.4.x as well as 1.5.x.
To demonstrate the behavior, visit either of the following links. The
validation failure indicates that the form has been submitted just by visiting
the URI (i.e. HTTP GET).
http://wicketstuff.org/wicket14/stateless/?wicket:bookmarkablePage=:org.apache.wicket.examples.stateless.StatelessPage&wicket:interface=:0:statelessform::IFormSubmitListener::
http://wicketstuff.org/wicket/stateless/foo?0-1.IFormSubmitListener-statelessform
This behavior could be triggered when:
* a user submits a StatelessForm and saves a bookmark to the generated URI.
* a user submits a StatelessForm and shares a link to the generated URI via
email or other means.
* a user submits a StatelessForm, lets their session expire, then takes any
action requiring login when using wicket-auth-roles. (They are redirected back
to the generated URI after login.)
* after submitting a StatelessForm, a user clicks in their address bar and hits
enter.
was:
I have a stateless login page for the application (using
HybridUrlCodingStrategy):
url_1 = http://localhost/login
When I press the login button of the username + password form the form data
will be sent using HTTP POST:
url_2 =
http://localhost/login/wicket:interface/%3A0%3AnavigationContrib%3Aform%3A%3AIFormSubmitListener%3A%3A/
Unfortunately, if somebody bookmarks url_2 (which is stupid as we java dudes
all know, but it _will_ happen because average users don't know better) the
form submit listener will be invoked using HTTP GET and having no form
parameters. *imho* bookmarks should be possible in a professional application
at all time.
This, of course, will result in an ugly error message and unexpected
application behavior and empty form fields and stuff. That's *btw* why I
declare this request a bug and not a feature / enhancement.
I think it would be cool to have Form#onInvalidSubmit() to handle this kind of
stuff (it won't happen on stateful pages with redirect after post enabled). So,
for example, the application could just reload to the login page.
detection is easy... here my suggestion:
------------------------------------------------------
class org.apache.wicket.markup.html.form.Form:
public final void onFormSubmitted() // line 746
{
final String method = ((WebRequest)
getRequest()).getHttpServletRequest().getMethod();
if (method.equalsIgnoreCase(this.getMethod()) == false)
this.onInvalidSubmit();
// ...
}
// override (optional)
protected onInvalidSubmit() {}
------------------------------
in my case I would just do this:
@Override
protected onInvalidSubmit()
{
this.setRedirect(true);
throw new RestartResponseException(getPage().getClass());
}
This would probably be a good default behavior for StatelessForm....
I consider this change useful enough to be part of wicket core.
What you guys think?
Affects Version/s: 1.4.18
1.5.0
1.5.1
> StatelessForm resubmitting via GET
> ----------------------------------
>
> Key: WICKET-4107
> URL: https://issues.apache.org/jira/browse/WICKET-4107
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.0, 1.5.1
> Reporter: Chris Hansen
> Assignee: Johan Compagner
>
> After a StatelessForm is submitted, the user is redirected to a new URI. If
> the user does an HTTP GET to this same URI, the form is resubmitted with all
> blank values (see examples below). This seems to happen regardless of the
> RenderStrategy being used or the form's method (i.e. POST), and it happens in
> recent versions of 1.4.x as well as 1.5.x.
> To demonstrate the behavior, visit either of the following links. The
> validation failure indicates that the form has been submitted just by
> visiting the URI (i.e. HTTP GET).
> http://wicketstuff.org/wicket14/stateless/?wicket:bookmarkablePage=:org.apache.wicket.examples.stateless.StatelessPage&wicket:interface=:0:statelessform::IFormSubmitListener::
> http://wicketstuff.org/wicket/stateless/foo?0-1.IFormSubmitListener-statelessform
> This behavior could be triggered when:
> * a user submits a StatelessForm and saves a bookmark to the generated URI.
> * a user submits a StatelessForm and shares a link to the generated URI via
> email or other means.
> * a user submits a StatelessForm, lets their session expire, then takes any
> action requiring login when using wicket-auth-roles. (They are redirected
> back to the generated URI after login.)
> * after submitting a StatelessForm, a user clicks in their address bar and
> hits enter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
