2011/4/3 Markus Jung <[email protected]>: > What is not clear for me is that this solution works for all form and bean > based components. This solution seems only to work for actionLink, right - > or am I missing something?
The form component render hidden input for parameters added by LinkCreationListener2. (new name for LinkFactoryListener) > I'm currently digging into the details of Tapestry and different protection > mechanisms against CSRF. As far the most reasonable solution for me is like > Andreas Andreou suggested to provide a component mixin, that could be added > to all components that are rendered as a HTML form, e.g. Form Components and > Bean related components. In the template an additional element has to be > explicetely added, that holds the secure token and is rendered as HTML > hidden input field. If I were you I would first try to implement the wiki solution with LinkCreationListener2. > This solution could maybe extended to provide a more general usage pattern, > e.g. a site configuration parameter that enables CSRF protection for all > form based components without further coding required, or a page scope > enabling of this mechanism maybe useful. > Keep in mind the draw back effect on - bookmarking / url re-rewriting. - entry point to user auth and user right management - session replication and so one etc... > In a further step it might be useful to protect HTML anchor rendered > components also. > > I will prepare a project proposal with a rough timeline. Who would like to > mentor this project - is it Ulrich Stärk? I would like to double check the > project proposal with the mentor before I submit it. Would be nice to have a page about Tapestry better than http://www.owasp.org/index.php/Java_Server_Faces François --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
