Re: How reliable Validators are?

2008-06-06 Thread James Carman 
You would be inside the constructor of a page (or component) when you
instantiate the validator (presumably).  That page (or component)
could have a @SpringBean injected into it.  Then, it can pass that
injected reference into the constructor of the validator.

On Fri, Jun 6, 2008 at 6:31 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote:
>
> That doesn't work either... b/c the validator instance has already been
> set...
>
> @SpringBean would work, but the Validator will need to manually invoke the
> Injector in it's own constructor.
>
> Or you can use http://code.google.com/p/salve/ which is what we do.
>
>
>
> jwcarman wrote:
>>
>> I meant from some other class (a Component) that had the bean
>> injected.  That class could then pass its injected dependency into the
>> validator's constructor.
>>
>> On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]>
>> wrote:
>>> not without manually injecting the validator or making validate an
>>> inner/anon class so it can access component's fields.
>>>
>>> -igor
>>>
>>> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
>>> <[EMAIL PROTECTED]> wrote:
 You can, however, pass in an object obtained via injection with the
 @SpringBean annotation.

 On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]>
 wrote:
>
> Another difference, if you have to do a database roundtrip (which you
> will
> likely need to verify a password) then the code for the validator is a
> bit
> more complicated. You have to take into account the fact that this gets
> serialized/deserialized as part of the page so you can't just pass a DB
> connection or hibernate session in the constructor.
>
>
>
> Eelco Hillenius wrote:
>>
>>> But can you please explain, why wouldn't you use validator for this?
>>
>> I think that's just personal preference. Validators are reusable,
>> while putting a check in onSubmit isn't. Whether that matters depends
>> on your project and the context you do the check in.
>>
>> Eelco
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>
> --
> View this message in context: 
> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Patrick Angeles 

That doesn't work either... b/c the validator instance has already been
set...

@SpringBean would work, but the Validator will need to manually invoke the
Injector in it's own constructor.

Or you can use http://code.google.com/p/salve/ which is what we do.



jwcarman wrote:
> 
> I meant from some other class (a Component) that had the bean
> injected.  That class could then pass its injected dependency into the
> validator's constructor.
> 
> On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]>
> wrote:
>> not without manually injecting the validator or making validate an
>> inner/anon class so it can access component's fields.
>>
>> -igor
>>
>> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
>> <[EMAIL PROTECTED]> wrote:
>>> You can, however, pass in an object obtained via injection with the
>>> @SpringBean annotation.
>>>
>>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]>
>>> wrote:

 Another difference, if you have to do a database roundtrip (which you
 will
 likely need to verify a password) then the code for the validator is a
 bit
 more complicated. You have to take into account the fact that this gets
 serialized/deserialized as part of the page so you can't just pass a DB
 connection or hibernate session in the constructor.



 Eelco Hillenius wrote:
>
>> But can you please explain, why wouldn't you use validator for this?
>
> I think that's just personal preference. Validators are reusable,
> while putting a check in onSubmit isn't. Whether that matters depends
> on your project and the context you do the check in.
>
> Eelco
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>

 --
 View this message in context:
 http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
 Sent from the Wicket - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html
Sent from the Wicket - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread James Carman 
I meant from some other class (a Component) that had the bean
injected.  That class could then pass its injected dependency into the
validator's constructor.

On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote:
> not without manually injecting the validator or making validate an
> inner/anon class so it can access component's fields.
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
> <[EMAIL PROTECTED]> wrote:
>> You can, however, pass in an object obtained via injection with the
>> @SpringBean annotation.
>>
>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote:
>>>
>>> Another difference, if you have to do a database roundtrip (which you will
>>> likely need to verify a password) then the code for the validator is a bit
>>> more complicated. You have to take into account the fact that this gets
>>> serialized/deserialized as part of the page so you can't just pass a DB
>>> connection or hibernate session in the constructor.
>>>
>>>
>>>
>>> Eelco Hillenius wrote:

> But can you please explain, why wouldn't you use validator for this?

 I think that's just personal preference. Validators are reusable,
 while putting a check in onSubmit isn't. Whether that matters depends
 on your project and the context you do the check in.

 Eelco

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



>>>
>>> --
>>> View this message in context: 
>>> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Sven Meier 

As I wrote, it's just my personal taste how I would do it:
For a password check usually another component is involved (the user 
name and/or a password retype), so this is no good case for IValidator. 
You could use an IFormValidator, but then you can equally well just put 
the check into onSubmit().


I not eager to explain my definition of 'heavy'. Next time I'll just 
write a sloppy response about validators working 90% of the time ;).


Sven

Igor Vaynberg schrieb:

what exactly is "heavy" ?

a validator accessing the database? why is that heavy?

it keeps a reference to the object that does the database check? why
is that heavy? there are plenty of things to make the lookup
lightweight such as wicket-spring and salve.

what exactly is too heavy about something like a UserNameValidator
that does everything to validate a username?

-igor

On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
  

The password check will probably require an access to your
database/ldap/whatever, so your validator will need a reference to some
singleton objects (service/dao/...).

For my taste this is too heavy for a validator.

Sven

Sergey Podatelev schrieb:


Okay, that is something I expected.
But can you please explain, why wouldn't you use validator for this?
It seems to be a good way to encapsulate certain functionality and if it
can't be bypassed, there're no security issues also.
Still, you'd use a check in onSubmit().

I'm just trying to understand if I maybe missing something here :)

On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:


  

Well, if your validator doesn't approve the entered password your form
will
never accept the submit.
There's no way to bypass the validation.

I'd prefer to check a password in onSubmit() though - but YMMW.

Sven

Sergey Podatelev schrieb:

 Hello,



I'm wondering, how safe is it to use a custom validator to check current
password of the logged-in user, when he wants to change his password
(say,
on a profile page)?
Are there are any potential security issues that can allow user to pass
a
validation?




  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Eelco Hillenius 
On Fri, Jun 6, 2008 at 1:22 PM, Sergey Podatelev
<[EMAIL PROTECTED]> wrote:
> Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just
> about two lines:
>
> protected void onValidate(validatable) {
>  if (((MyApplication)
> Application.get()).getUserDao().verifyPassword(userId, password) == false) {
>error(validatable);
>  }
> }

I think it really doesn't matter much whether you put it in a
validator or directly in onSubmit. If it is something you reuse, put
it in a validator to avoid code validation. Otherwise, do whatever is
best readable. Another consideration is that if you have multiple
validations, it can get ugly to have to put in multiple if/ then
blocks (if validation x fails the set error, else save y kind of
stuff), and validators are a bit nicer in that way because they are
like pluggable checks that block form processing if any of them fails.

Eelco

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Sergey Podatelev 
Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just
about two lines:

protected void onValidate(validatable) {
  if (((MyApplication)
Application.get()).getUserDao().verifyPassword(userId, password) == false) {
error(validatable);
  }
}

On Fri, Jun 6, 2008 at 11:52 PM, Igor Vaynberg <[EMAIL PROTECTED]>
wrote:

> what exactly is "heavy" ?
>
> a validator accessing the database? why is that heavy?
>
> it keeps a reference to the object that does the database check? why
> is that heavy? there are plenty of things to make the lookup
> lightweight such as wicket-spring and salve.
>
> what exactly is too heavy about something like a UserNameValidator
> that does everything to validate a username?
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
> > The password check will probably require an access to your
> > database/ldap/whatever, so your validator will need a reference to some
> > singleton objects (service/dao/...).
> >
> > For my taste this is too heavy for a validator.
> >
> > Sven
> >
> > Sergey Podatelev schrieb:
> >>
> >> Okay, that is something I expected.
> >> But can you please explain, why wouldn't you use validator for this?
> >> It seems to be a good way to encapsulate certain functionality and if it
> >> can't be bypassed, there're no security issues also.
> >> Still, you'd use a check in onSubmit().
> >>
> >> I'm just trying to understand if I maybe missing something here :)
> >>
> >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
> >>
> >>
> >>>
> >>> Well, if your validator doesn't approve the entered password your form
> >>> will
> >>> never accept the submit.
> >>> There's no way to bypass the validation.
> >>>
> >>> I'd prefer to check a password in onSubmit() though - but YMMW.
> >>>
> >>> Sven
> >>>
> >>> Sergey Podatelev schrieb:
> >>>
> >>>  Hello,
> >>>
> 
>  I'm wondering, how safe is it to use a custom validator to check
> current
>  password of the logged-in user, when he wants to change his password
>  (say,
>  on a profile page)?
>  Are there are any potential security issues that can allow user to
> pass
>  a
>  validation?
> 
> 
> 
> 
> >>>
> >>> -
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
sp

Re: How reliable Validators are?

2008-06-06 Thread Igor Vaynberg 
not without manually injecting the validator or making validate an
inner/anon class so it can access component's fields.

-igor

On Fri, Jun 6, 2008 at 12:46 PM, James Carman
<[EMAIL PROTECTED]> wrote:
> You can, however, pass in an object obtained via injection with the
> @SpringBean annotation.
>
> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote:
>>
>> Another difference, if you have to do a database roundtrip (which you will
>> likely need to verify a password) then the code for the validator is a bit
>> more complicated. You have to take into account the fact that this gets
>> serialized/deserialized as part of the page so you can't just pass a DB
>> connection or hibernate session in the constructor.
>>
>>
>>
>> Eelco Hillenius wrote:
>>>
 But can you please explain, why wouldn't you use validator for this?
>>>
>>> I think that's just personal preference. Validators are reusable,
>>> while putting a check in onSubmit isn't. Whether that matters depends
>>> on your project and the context you do the check in.
>>>
>>> Eelco
>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>
>> --
>> View this message in context: 
>> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Igor Vaynberg 
what exactly is "heavy" ?

a validator accessing the database? why is that heavy?

it keeps a reference to the object that does the database check? why
is that heavy? there are plenty of things to make the lookup
lightweight such as wicket-spring and salve.

what exactly is too heavy about something like a UserNameValidator
that does everything to validate a username?

-igor

On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
> The password check will probably require an access to your
> database/ldap/whatever, so your validator will need a reference to some
> singleton objects (service/dao/...).
>
> For my taste this is too heavy for a validator.
>
> Sven
>
> Sergey Podatelev schrieb:
>>
>> Okay, that is something I expected.
>> But can you please explain, why wouldn't you use validator for this?
>> It seems to be a good way to encapsulate certain functionality and if it
>> can't be bypassed, there're no security issues also.
>> Still, you'd use a check in onSubmit().
>>
>> I'm just trying to understand if I maybe missing something here :)
>>
>> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
>>
>>
>>>
>>> Well, if your validator doesn't approve the entered password your form
>>> will
>>> never accept the submit.
>>> There's no way to bypass the validation.
>>>
>>> I'd prefer to check a password in onSubmit() though - but YMMW.
>>>
>>> Sven
>>>
>>> Sergey Podatelev schrieb:
>>>
>>>  Hello,
>>>

 I'm wondering, how safe is it to use a custom validator to check current
 password of the logged-in user, when he wants to change his password
 (say,
 on a profile page)?
 Are there are any potential security issues that can allow user to pass
 a
 validation?




>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>
>>
>>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread James Carman 
You can, however, pass in an object obtained via injection with the
@SpringBean annotation.

On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote:
>
> Another difference, if you have to do a database roundtrip (which you will
> likely need to verify a password) then the code for the validator is a bit
> more complicated. You have to take into account the fact that this gets
> serialized/deserialized as part of the page so you can't just pass a DB
> connection or hibernate session in the constructor.
>
>
>
> Eelco Hillenius wrote:
>>
>>> But can you please explain, why wouldn't you use validator for this?
>>
>> I think that's just personal preference. Validators are reusable,
>> while putting a check in onSubmit isn't. Whether that matters depends
>> on your project and the context you do the check in.
>>
>> Eelco
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>
> --
> View this message in context: 
> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Patrick Angeles 

Another difference, if you have to do a database roundtrip (which you will
likely need to verify a password) then the code for the validator is a bit
more complicated. You have to take into account the fact that this gets
serialized/deserialized as part of the page so you can't just pass a DB
connection or hibernate session in the constructor.



Eelco Hillenius wrote:
> 
>> But can you please explain, why wouldn't you use validator for this?
> 
> I think that's just personal preference. Validators are reusable,
> while putting a check in onSubmit isn't. Whether that matters depends
> on your project and the context you do the check in.
> 
> Eelco
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
Sent from the Wicket - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Sven Meier 
The password check will probably require an access to your 
database/ldap/whatever, so your validator will need a reference to some 
singleton objects (service/dao/...).


For my taste this is too heavy for a validator.

Sven

Sergey Podatelev schrieb:

Okay, that is something I expected.
But can you please explain, why wouldn't you use validator for this?
It seems to be a good way to encapsulate certain functionality and if it
can't be bypassed, there're no security issues also.
Still, you'd use a check in onSubmit().

I'm just trying to understand if I maybe missing something here :)

On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:

  

Well, if your validator doesn't approve the entered password your form will
never accept the submit.
There's no way to bypass the validation.

I'd prefer to check a password in onSubmit() though - but YMMW.

Sven

Sergey Podatelev schrieb:

 Hello,


I'm wondering, how safe is it to use a custom validator to check current
password of the logged-in user, when he wants to change his password (say,
on a profile page)?
Are there are any potential security issues that can allow user to pass a
validation?



  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Sergey Podatelev 
I agree, not only they are useless, they are also pretty boring, I mean no
potential flaws or unlocked doors you have to worry about.
I'm glad there's finally a framework that doesn't eleminate the fun of
dealing with unpredictability of its components.

I sorry though if the stupidity of my question bothered you.


On Fri, Jun 6, 2008 at 10:03 PM, Igor Vaynberg <[EMAIL PROTECTED]>
wrote:

> wicket validators have been designed to work up to 90% of the time.
> there is a heuristic that determines when the validator should stop
> the form from submitting and when not. we find that validators that
> work 100% of the time are just not as useful.
>
> -igor
>
> On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev
> <[EMAIL PROTECTED]> wrote:
> > Hello,
> >
> > I'm wondering, how safe is it to use a custom validator to check current
> > password of the logged-in user, when he wants to change his password
> (say,
> > on a profile page)?
> > Are there are any potential security issues that can allow user to pass a
> > validation?
> >
> > --
> > sp
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
sp

Re: How reliable Validators are?

2008-06-06 Thread Eelco Hillenius 
> But can you please explain, why wouldn't you use validator for this?

I think that's just personal preference. Validators are reusable,
while putting a check in onSubmit isn't. Whether that matters depends
on your project and the context you do the check in.

Eelco

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Igor Vaynberg 
wicket validators have been designed to work up to 90% of the time.
there is a heuristic that determines when the validator should stop
the form from submitting and when not. we find that validators that
work 100% of the time are just not as useful.

-igor

On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev
<[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm wondering, how safe is it to use a custom validator to check current
> password of the logged-in user, when he wants to change his password (say,
> on a profile page)?
> Are there are any potential security issues that can allow user to pass a
> validation?
>
> --
> sp
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How reliable Validators are?

2008-06-06 Thread Sergey Podatelev 
Okay, that is something I expected.
But can you please explain, why wouldn't you use validator for this?
It seems to be a good way to encapsulate certain functionality and if it
can't be bypassed, there're no security issues also.
Still, you'd use a check in onSubmit().

I'm just trying to understand if I maybe missing something here :)

On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:

> Well, if your validator doesn't approve the entered password your form will
> never accept the submit.
> There's no way to bypass the validation.
>
> I'd prefer to check a password in onSubmit() though - but YMMW.
>
> Sven
>
> Sergey Podatelev schrieb:
>
>  Hello,
>>
>> I'm wondering, how safe is it to use a custom validator to check current
>> password of the logged-in user, when he wants to change his password (say,
>> on a profile page)?
>> Are there are any potential security issues that can allow user to pass a
>> validation?
>>
>>
>>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
sp

Re: How reliable Validators are?

2008-06-06 Thread Sven Meier 
Well, if your validator doesn't approve the entered password your form 
will never accept the submit.

There's no way to bypass the validation.

I'd prefer to check a password in onSubmit() though - but YMMW.

Sven

Sergey Podatelev schrieb:

Hello,

I'm wondering, how safe is it to use a custom validator to check current
password of the logged-in user, when he wants to change his password (say,
on a profile page)?
Are there are any potential security issues that can allow user to pass a
validation?

  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]