WICKET-4107 was specifically about preventing GET request on stateless
forms. Why not do something similar for Ajax behaviors?
Am 01.02.2018 um 22:45 schrieb Carl-Eric Menzel:
I've just encountered an interesting oddity. For a normal form
submission, there is Form#onMethodMismatch where I can decide what
should happen if somebody calls the form's URL with a GET request
rather than the usual POST. At least in 6.x and 7.x this is called
from onFormSubmitted() - but not from onFormSubmitted(submitter).
The result is that for forms that have an ajax button and thus a valid
submitter, I can't stop somebody building a GET request and firing
that against the button's URL. Theoretically I could override
AjaxFormSubmitBehavior's onEvent method, but that doesn't work for
ajax buttons, which build their own AjaxFormSubmitBehavior.
On one of my current projects the customer is quite security-minded
and would like the application to block these GET requests. My
question is: Is it intentional that only the regular onFormSubmitted()
method checks this? If yes, I'd like to know the reasoning please. If
not, I'm going to write a patch to fix this.
Or maybe I'm missing something and am going the wrong way entirely. In
that case, let me know please.