Re: [OS-webwork] Hidden token
I resigned from formal association with OpenSymphony. I no longer have or want CVS update access, or web site update capabilities, although I can update the wiki and offer input on issues just like other users can. What's more, since I used to be somewhat responsible for the care and feeding of OpenSymphony, I have its best interests at heart. What better input can there be than that of an experienced, caring user? On Fri, 17 Jan 2003, [ISO-8859-1] Rickard Öberg wrote: Joseph Ottinger wrote: I'd prefer adding it to the wiki or the current release of WW, since there are some users who actually use what's there now as opposed to vapourware, even though the vapourware is promising. Didn't you resign from OpenSymphony? Or was it just that you stopped doing things? /Rickard --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork - Joseph B. Ottinger [EMAIL PROTECTED] http://enigmastation.comIT Consultant --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
Well, from my part, I'll toy with getting it in sandbox right away. - Original Message - From: Rickard Öberg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 17, 2003 12:36 AM Subject: Re: [OS-webwork] Hidden token Vedovato Paolo wrote: that is a very important feature that should get ASAP into current webwork...so what can be added now (automatic or manually) should be added Sure, but what if we go with the automatic system later on? Then there'll be whining and cursing, as usual. /Rickard --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
-Original Message- From: Robert Nicholson [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:50 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token I think the only reason Struts needs the ui:form is to associate the form to the form bean. I'm against the idea of a ui:form tag. ie. mandatory use of WW UI tags for proper behaviour. Struts form beans don't work unless you use their UI tags. I was proposing the ww:form tag only to do this (the hidden token) for you. I believe Rickard's proposed method will also require this (or would you do form action=ww:url .../?) I suppose we could also have the token creation be in a util action that would populate the session, and you could call it from the jsp using ww:action as well. --- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
-Original Message- From: Robert Nicholson [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:52 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token If I quickly hit the the submit button twice what happens? What guarantee is there that the execution of both actions isn't interleaved? Well, the first thing the action would do is check the token and remove it from the session. Is access to the session thread safe? Either way, you'd want to synchronize the read and clear of the token (or temporary URL), and whichever one got it first would succeed. --- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
-Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:27 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token I have the code ;). I can add it if it is what people want but Rickard has a point in trying to make this more automatic without adding a manual field. I guess we could have the old fashion way and if/when the portlet framework develops we can use it. -Matt Does the automatic way support both problem conditions: 1) reloading the result page and thereby re-posting the form data, and 2) the user hitting the back button and submitting the form again. I think it does, and I'm sure the hidden token does, but I wanted to check for sure. --- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
I proposed the ability to associate URL's with actions. When the URL is requested the action is executed and the association is removed. This removes the need for any Javascript solution or any hidden fields or any such tricks. Would the result of this execution be stored so that the second click would lead to the already generated result then? Anders Hovmöller [EMAIL PROTECTED] http://boxed.killingar.net --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
boxed wrote: I proposed the ability to associate URL's with actions. When the URL is requested the action is executed and the association is removed. This removes the need for any Javascript solution or any hidden fields or any such tricks. Would the result of this execution be stored so that the second click would lead to the already generated result then? I don't know. Probably not. The above feature would only ensure that only code that is SUPPOSED to be executed actually gets executed. /Rickard --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
On Thu, Jan 16, 2003 at 08:45:53AM +0100, Rickard Öberg wrote: Jason Carreira wrote: I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... I proposed the ability to associate URL's with actions. When the URL is requested the action is executed and the association is removed. This removes the need for any Javascript solution or any hidden fields or any such tricks. And this is also how the Portlet API is going to work. The only problem with it is that you'd have to use a JSP tag or similar to generate the URL. Hmmm, doest this mean, the jsp tag does sth. like session.getTokenStack().push(new RandomToken()) and the action compares the value passed in the hidden field to getTokenStack().pop()? -billy. -- Meisterbohne Söflinger Straße 100 Tel: +49-731-399 499-0 eLösungen 89077 Ulm Fax: +49-731-399 499-9 msg01270/pgp0.pgp Description: PGP signature
Re: [OS-webwork] Hidden token
There would be no hidden field. When the URL is generated that URL is associated with the actions to be run. There's no way to figure out from the URL what actions will be executed. So you get URLs like: http://www.myhost.com/some/path/wfjIFEOwijofOEIWjfIOWEkaAIoqjklnfoSyEj?foo=bar And then a map associates that with an action on the server side. Is that correct? --Erik --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
Erik Beeson wrote: There would be no hidden field. When the URL is generated that URL is associated with the actions to be run. There's no way to figure out from the URL what actions will be executed. So you get URLs like: http://www.myhost.com/some/path/wfjIFEOwijofOEIWjfIOWEkaAIoqjklnfoSyEj?foo=bar And then a map associates that with an action on the server side. Is that correct? --Erik No. Example: xw:url page=foobar.html action=blahblah xw:param name=foo value=bar/ /xw:url would generate the following URL: foobar.html?foo=bar When the server runs foobar.html it first executes blahblah and makes the result available somehow for the rendering process to use. Pretty straightforward. If foobar.html?foo=bar is hit again then nothing happens, since the action has already been executed. /Rickard --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
On Thu, Jan 16, 2003 at 11:06:58AM +0100, Rickard Öberg wrote: Philipp Meier wrote: Hmmm, doest this mean, the jsp tag does sth. like session.getTokenStack().push(new RandomToken()) and the action compares the value passed in the hidden field to getTokenStack().pop()? There would be no hidden field. When the URL is generated that URL is associated with the actions to be run. There's no way to figure out from the URL what actions will be executed. Does this mean that when I use the ww:form tag, the target url will be pushed / popped? That sounds even more reasonable. We can then use that in the other view layer, too. Ander's idea of caching the execution result would IMHO fit here. Of course it must be made optional if on the second submit the result is fetched from the cache or an error is thrown. I'm not sure how this configuration can be achieved, any Ideas? I suppose having a new RobustServletDispatcher that uses a combined Token Stack and Action Cache stored in the session. -billy. -- Meisterbohne Söflinger Straße 100 Tel: +49-731-399 499-0 eLösungen 89077 Ulm Fax: +49-731-399 499-9 msg01274/pgp0.pgp Description: PGP signature
Re: [OS-webwork] Hidden token
Philipp Meier wrote: Does this mean that when I use the ww:form tag, the target url will be pushed / popped? Not sure what you mean by pushed/popped. XWork would have an association between user/URL and actions. When that user hits a URL the association is used, and then removed. /Rickard -- Rickard Öberg [EMAIL PROTECTED] Senselogic Got blog? I do. http://dreambean.com --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
On Thu, Jan 16, 2003 at 11:52:16AM +0100, Rickard Öberg wrote: Philipp Meier wrote: Does this mean that when I use the ww:form tag, the target url will be pushed / popped? Not sure what you mean by pushed/popped. XWork would have an association between user/URL and actions. When that user hits a URL the association is used, and then removed. I mean when the html view is rendered, the association will be put somewhere and when the url associated is used, the association will be taken (read and removed). -billy. -- Meisterbohne Söflinger Straße 100 Tel: +49-731-399 499-0 eLösungen 89077 Ulm Fax: +49-731-399 499-9 msg01276/pgp0.pgp Description: PGP signature
Re: [OS-webwork] Hidden token
The way this is typically done is that as the form is generated a token is placed into the session and a hidden field is generated that matches this token. When the action is executed it is valid when the two tokens match. After the first execution the session token is removed. Therefore on subsequent tokens you have a scenario where by the hidden field is still coming across in the request but the session token isn't there hence you know that's an invalid submit. On Wednesday, January 15, 2003, at 09:04 PM, Jason Carreira wrote: Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
Does that field also put the token into the session? Where's the code that adds the token to the session? On Thursday, January 16, 2003, at 01:23 AM, matt baldree wrote: no just added a hidden input field. this really isn't a ui tag. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:40 PM Subject: RE: [OS-webwork] Hidden token Did you modify the ui tags to automatically do this? I also added a Jira issue for this -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token my project. i can add it when i get a chance. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:10 PM Subject: RE: [OS-webwork] Hidden token In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code
Re: [OS-webwork] Hidden token
I have the code ;). I can add it if it is what people want but Rickard has a point in trying to make this more automatic without adding a manual field. I guess we could have the old fashion way and if/when the portlet framework develops we can use it. -Matt - Original Message - From: Robert Nicholson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 4:48 PM Subject: Re: [OS-webwork] Hidden token Does that field also put the token into the session? Where's the code that adds the token to the session? On Thursday, January 16, 2003, at 01:23 AM, matt baldree wrote: no just added a hidden input field. this really isn't a ui tag. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:40 PM Subject: RE: [OS-webwork] Hidden token Did you modify the ui tags to automatically do this? I also added a Jira issue for this -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token my project. i can add it when i get a chance. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:10 PM Subject: RE: [OS-webwork] Hidden token In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
Joseph Ottinger wrote: I'd prefer adding it to the wiki or the current release of WW, since there are some users who actually use what's there now as opposed to vapourware, even though the vapourware is promising. Didn't you resign from OpenSymphony? Or was it just that you stopped doing things? /Rickard --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
Right, I just want to keep it from processing twice... Hit it twice if you want. -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token This doesn't prevent them from clicking 2x but prevents them from hitting back button and resubmitting. If you want to prevent clicking button 2x, you have to use javascript. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:04 PM Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone:585.240.2793 fax:585.272.8118 email:[EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
my project. i can add it when i get a chance. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:10 PM Subject: RE: [OS-webwork] Hidden token In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
RE: [OS-webwork] Hidden token
Did you modify the ui tags to automatically do this? I also added a Jira issue for this -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token my project. i can add it when i get a chance. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:10 PM Subject: RE: [OS-webwork] Hidden token In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin
RE: [OS-webwork] Hidden token
I wouldn't want to put this on the wiki before it's decided to do it... I put it in Jira instead -Original Message- From: Joseph Ottinger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 8:42 PM To: [EMAIL PROTECTED] Subject: RE: [OS-webwork] Hidden token Actually... in case you guys don't know it, you have this cool wiki at http://www.opensymphony.com:8668/space/start where this sort of concept would be really cool to detail. Online docs, you might say, with ongoing practices and resources for opensymphony users. There's also the formtags library on opensymphony, which HAS a form tag that wouldn't be difficult (at ALL) to modify to include behaviour like this. For that matter, formtags even has access to the webwork valuestack already, so it can be a drop-in solution if you so desire. (It doesn't use templates; if you recall, that was on the drawing board before the drawing board collapsed under it.) On Wed, 15 Jan 2003, Jason Carreira wrote: I was thinking we could, like Struts does, make it an option to have a ui:form (which we don't have right now) and ww:url tag add this hidden token, through a hidden input field or URL rewriting, respectively. -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token no just added a hidden input field. this really isn't a ui tag. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:40 PM Subject: RE: [OS-webwork] Hidden token Did you modify the ui tags to automatically do this? I also added a Jira issue for this -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token my project. i can add it when i get a chance. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 6:10 PM Subject: RE: [OS-webwork] Hidden token In WW? Is this already there? Or did you do this in your project? -Original Message- From: matt baldree [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 6:05 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Hidden token yes, this is how we did it. - Original Message - From: Jason Carreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 15, 2003 3:48 PM Subject: RE: [OS-webwork] Hidden token Just thought this out some more. Here's how it could work: the hidden token is set in the session when the form is shown, then added to the form as a hidden field. When the action processes the form, you look for the token and make sure it's the same as the last one you put in the session before you process. Jason -Original Message- From: Jason Carreira Sent: Wednesday, January 15, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: [OS-webwork] Hidden token Hi all, In our evaluation of Struts vs. Webwork, I was asked about the ability to do hidden tokens on WW built forms and URLs. Struts apparently, in their form and link tags, have the possibility of (optionally) adding a hidden token (either as a hidden form field, or through URL rewriting), which can keep the user from clicking twice and executing your action twice. I don't remember seeing anything like this in WW, although my take is that this would be easy enough to add to the URLTag. Also, is there a ui:form tag? I'm not sure what all got added. I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... Thoughts? Would this be something good to add (given that it would be optional and not break anybodies existing code)? Jason -- Jason Carreira Technical Architect, Notiva Corp. phone: 585.240.2793 fax: 585.272.8118 email: [EMAIL PROTECTED] --- Notiva - optimizing trade relationships (tm) --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi- bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list
Re: [OS-webwork] Hidden token
Peter, Excellent work mate - the Wiki is definitely the best place to record tips, tricks and roadmap items for discussion. -mike On 16/1/03 1:15 PM, Peter Kelley ([EMAIL PROTECTED]) penned the words: There's an area on wiki for discussing enhancements here: http://www.opensymphony.com:8668/space/WebWork+Roadmap and an area for sharing performance tips here: http://www.opensymphony.com:8668/space/Webwork+Performance+Tips Enjoy! P.S. I'll post some of the suggestions from the mailing list about select tags when I get a chance. On Thu, 2003-01-16 at 12:41, Joseph Ottinger wrote: Actually... in case you guys don't know it, you have this cool wiki at http://www.opensymphony.com:8668/space/start where this sort of concept would be really cool to detail. Online docs, you might say, with ongoing practices and resources for opensymphony users. -- Peter Kelley [EMAIL PROTECTED] Moveit Pty Ltd --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
Re: [OS-webwork] Hidden token
Jason Carreira wrote: I remember Rickard was talking about something to prevent 2 submits, but I'm not sure what it was... I proposed the ability to associate URL's with actions. When the URL is requested the action is executed and the association is removed. This removes the need for any Javascript solution or any hidden fields or any such tricks. And this is also how the Portlet API is going to work. The only problem with it is that you'd have to use a JSP tag or similar to generate the URL. IMHO it's the best solution to this problem. /Rickard --- This SF.NET email is sponsored by: A Thawte Code Signing Certificate is essential in establishing user confidence by providing assurance of authenticity and code integrity. Download our Free Code Signing guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0028en ___ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork