Re: How reliable Validators are?
You would be inside the constructor of a page (or component) when you instantiate the validator (presumably). That page (or component) could have a @SpringBean injected into it. Then, it can pass that injected reference into the constructor of the validator. On Fri, Jun 6, 2008 at 6:31 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote: > > That doesn't work either... b/c the validator instance has already been > set... > > @SpringBean would work, but the Validator will need to manually invoke the > Injector in it's own constructor. > > Or you can use http://code.google.com/p/salve/ which is what we do. > > > > jwcarman wrote: >> >> I meant from some other class (a Component) that had the bean >> injected. That class could then pass its injected dependency into the >> validator's constructor. >> >> On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]> >> wrote: >>> not without manually injecting the validator or making validate an >>> inner/anon class so it can access component's fields. >>> >>> -igor >>> >>> On Fri, Jun 6, 2008 at 12:46 PM, James Carman >>> <[EMAIL PROTECTED]> wrote: You can, however, pass in an object obtained via injection with the @SpringBean annotation. On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote: > > Another difference, if you have to do a database roundtrip (which you > will > likely need to verify a password) then the code for the validator is a > bit > more complicated. You have to take into account the fact that this gets > serialized/deserialized as part of the page so you can't just pass a DB > connection or hibernate session in the constructor. > > > > Eelco Hillenius wrote: >> >>> But can you please explain, why wouldn't you use validator for this? >> >> I think that's just personal preference. Validators are reusable, >> while putting a check in onSubmit isn't. Whether that matters depends >> on your project and the context you do the check in. >> >> Eelco >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
That doesn't work either... b/c the validator instance has already been set... @SpringBean would work, but the Validator will need to manually invoke the Injector in it's own constructor. Or you can use http://code.google.com/p/salve/ which is what we do. jwcarman wrote: > > I meant from some other class (a Component) that had the bean > injected. That class could then pass its injected dependency into the > validator's constructor. > > On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]> > wrote: >> not without manually injecting the validator or making validate an >> inner/anon class so it can access component's fields. >> >> -igor >> >> On Fri, Jun 6, 2008 at 12:46 PM, James Carman >> <[EMAIL PROTECTED]> wrote: >>> You can, however, pass in an object obtained via injection with the >>> @SpringBean annotation. >>> >>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> >>> wrote: Another difference, if you have to do a database roundtrip (which you will likely need to verify a password) then the code for the validator is a bit more complicated. You have to take into account the fact that this gets serialized/deserialized as part of the page so you can't just pass a DB connection or hibernate session in the constructor. Eelco Hillenius wrote: > >> But can you please explain, why wouldn't you use validator for this? > > I think that's just personal preference. Validators are reusable, > while putting a check in onSubmit isn't. Whether that matters depends > on your project and the context you do the check in. > > Eelco > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
I meant from some other class (a Component) that had the bean injected. That class could then pass its injected dependency into the validator's constructor. On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > not without manually injecting the validator or making validate an > inner/anon class so it can access component's fields. > > -igor > > On Fri, Jun 6, 2008 at 12:46 PM, James Carman > <[EMAIL PROTECTED]> wrote: >> You can, however, pass in an object obtained via injection with the >> @SpringBean annotation. >> >> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote: >>> >>> Another difference, if you have to do a database roundtrip (which you will >>> likely need to verify a password) then the code for the validator is a bit >>> more complicated. You have to take into account the fact that this gets >>> serialized/deserialized as part of the page so you can't just pass a DB >>> connection or hibernate session in the constructor. >>> >>> >>> >>> Eelco Hillenius wrote: > But can you please explain, why wouldn't you use validator for this? I think that's just personal preference. Validators are reusable, while putting a check in onSubmit isn't. Whether that matters depends on your project and the context you do the check in. Eelco - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html >>> Sent from the Wicket - User mailing list archive at Nabble.com. >>> >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
As I wrote, it's just my personal taste how I would do it: For a password check usually another component is involved (the user name and/or a password retype), so this is no good case for IValidator. You could use an IFormValidator, but then you can equally well just put the check into onSubmit(). I not eager to explain my definition of 'heavy'. Next time I'll just write a sloppy response about validators working 90% of the time ;). Sven Igor Vaynberg schrieb: what exactly is "heavy" ? a validator accessing the database? why is that heavy? it keeps a reference to the object that does the database check? why is that heavy? there are plenty of things to make the lookup lightweight such as wicket-spring and salve. what exactly is too heavy about something like a UserNameValidator that does everything to validate a username? -igor On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote: The password check will probably require an access to your database/ldap/whatever, so your validator will need a reference to some singleton objects (service/dao/...). For my taste this is too heavy for a validator. Sven Sergey Podatelev schrieb: Okay, that is something I expected. But can you please explain, why wouldn't you use validator for this? It seems to be a good way to encapsulate certain functionality and if it can't be bypassed, there're no security issues also. Still, you'd use a check in onSubmit(). I'm just trying to understand if I maybe missing something here :) On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: Well, if your validator doesn't approve the entered password your form will never accept the submit. There's no way to bypass the validation. I'd prefer to check a password in onSubmit() though - but YMMW. Sven Sergey Podatelev schrieb: Hello, I'm wondering, how safe is it to use a custom validator to check current password of the logged-in user, when he wants to change his password (say, on a profile page)? Are there are any potential security issues that can allow user to pass a validation? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
On Fri, Jun 6, 2008 at 1:22 PM, Sergey Podatelev <[EMAIL PROTECTED]> wrote: > Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just > about two lines: > > protected void onValidate(validatable) { > if (((MyApplication) > Application.get()).getUserDao().verifyPassword(userId, password) == false) { >error(validatable); > } > } I think it really doesn't matter much whether you put it in a validator or directly in onSubmit. If it is something you reuse, put it in a validator to avoid code validation. Otherwise, do whatever is best readable. Another consideration is that if you have multiple validations, it can get ugly to have to put in multiple if/ then blocks (if validation x fails the set error, else save y kind of stuff), and validators are a bit nicer in that way because they are like pluggable checks that block form processing if any of them fails. Eelco - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just about two lines: protected void onValidate(validatable) { if (((MyApplication) Application.get()).getUserDao().verifyPassword(userId, password) == false) { error(validatable); } } On Fri, Jun 6, 2008 at 11:52 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > what exactly is "heavy" ? > > a validator accessing the database? why is that heavy? > > it keeps a reference to the object that does the database check? why > is that heavy? there are plenty of things to make the lookup > lightweight such as wicket-spring and salve. > > what exactly is too heavy about something like a UserNameValidator > that does everything to validate a username? > > -igor > > On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > > The password check will probably require an access to your > > database/ldap/whatever, so your validator will need a reference to some > > singleton objects (service/dao/...). > > > > For my taste this is too heavy for a validator. > > > > Sven > > > > Sergey Podatelev schrieb: > >> > >> Okay, that is something I expected. > >> But can you please explain, why wouldn't you use validator for this? > >> It seems to be a good way to encapsulate certain functionality and if it > >> can't be bypassed, there're no security issues also. > >> Still, you'd use a check in onSubmit(). > >> > >> I'm just trying to understand if I maybe missing something here :) > >> > >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > >> > >> > >>> > >>> Well, if your validator doesn't approve the entered password your form > >>> will > >>> never accept the submit. > >>> There's no way to bypass the validation. > >>> > >>> I'd prefer to check a password in onSubmit() though - but YMMW. > >>> > >>> Sven > >>> > >>> Sergey Podatelev schrieb: > >>> > >>> Hello, > >>> > > I'm wondering, how safe is it to use a custom validator to check > current > password of the logged-in user, when he wants to change his password > (say, > on a profile page)? > Are there are any potential security issues that can allow user to > pass > a > validation? > > > > > >>> > >>> - > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >> > >> > >> > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- sp
Re: How reliable Validators are?
not without manually injecting the validator or making validate an inner/anon class so it can access component's fields. -igor On Fri, Jun 6, 2008 at 12:46 PM, James Carman <[EMAIL PROTECTED]> wrote: > You can, however, pass in an object obtained via injection with the > @SpringBean annotation. > > On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote: >> >> Another difference, if you have to do a database roundtrip (which you will >> likely need to verify a password) then the code for the validator is a bit >> more complicated. You have to take into account the fact that this gets >> serialized/deserialized as part of the page so you can't just pass a DB >> connection or hibernate session in the constructor. >> >> >> >> Eelco Hillenius wrote: >>> But can you please explain, why wouldn't you use validator for this? >>> >>> I think that's just personal preference. Validators are reusable, >>> while putting a check in onSubmit isn't. Whether that matters depends >>> on your project and the context you do the check in. >>> >>> Eelco >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> -- >> View this message in context: >> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
what exactly is "heavy" ? a validator accessing the database? why is that heavy? it keeps a reference to the object that does the database check? why is that heavy? there are plenty of things to make the lookup lightweight such as wicket-spring and salve. what exactly is too heavy about something like a UserNameValidator that does everything to validate a username? -igor On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > The password check will probably require an access to your > database/ldap/whatever, so your validator will need a reference to some > singleton objects (service/dao/...). > > For my taste this is too heavy for a validator. > > Sven > > Sergey Podatelev schrieb: >> >> Okay, that is something I expected. >> But can you please explain, why wouldn't you use validator for this? >> It seems to be a good way to encapsulate certain functionality and if it >> can't be bypassed, there're no security issues also. >> Still, you'd use a check in onSubmit(). >> >> I'm just trying to understand if I maybe missing something here :) >> >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: >> >> >>> >>> Well, if your validator doesn't approve the entered password your form >>> will >>> never accept the submit. >>> There's no way to bypass the validation. >>> >>> I'd prefer to check a password in onSubmit() though - but YMMW. >>> >>> Sven >>> >>> Sergey Podatelev schrieb: >>> >>> Hello, >>> I'm wondering, how safe is it to use a custom validator to check current password of the logged-in user, when he wants to change his password (say, on a profile page)? Are there are any potential security issues that can allow user to pass a validation? >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
You can, however, pass in an object obtained via injection with the @SpringBean annotation. On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <[EMAIL PROTECTED]> wrote: > > Another difference, if you have to do a database roundtrip (which you will > likely need to verify a password) then the code for the validator is a bit > more complicated. You have to take into account the fact that this gets > serialized/deserialized as part of the page so you can't just pass a DB > connection or hibernate session in the constructor. > > > > Eelco Hillenius wrote: >> >>> But can you please explain, why wouldn't you use validator for this? >> >> I think that's just personal preference. Validators are reusable, >> while putting a check in onSubmit isn't. Whether that matters depends >> on your project and the context you do the check in. >> >> Eelco >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
Another difference, if you have to do a database roundtrip (which you will likely need to verify a password) then the code for the validator is a bit more complicated. You have to take into account the fact that this gets serialized/deserialized as part of the page so you can't just pass a DB connection or hibernate session in the constructor. Eelco Hillenius wrote: > >> But can you please explain, why wouldn't you use validator for this? > > I think that's just personal preference. Validators are reusable, > while putting a check in onSubmit isn't. Whether that matters depends > on your project and the context you do the check in. > > Eelco > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
The password check will probably require an access to your database/ldap/whatever, so your validator will need a reference to some singleton objects (service/dao/...). For my taste this is too heavy for a validator. Sven Sergey Podatelev schrieb: Okay, that is something I expected. But can you please explain, why wouldn't you use validator for this? It seems to be a good way to encapsulate certain functionality and if it can't be bypassed, there're no security issues also. Still, you'd use a check in onSubmit(). I'm just trying to understand if I maybe missing something here :) On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: Well, if your validator doesn't approve the entered password your form will never accept the submit. There's no way to bypass the validation. I'd prefer to check a password in onSubmit() though - but YMMW. Sven Sergey Podatelev schrieb: Hello, I'm wondering, how safe is it to use a custom validator to check current password of the logged-in user, when he wants to change his password (say, on a profile page)? Are there are any potential security issues that can allow user to pass a validation? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
I agree, not only they are useless, they are also pretty boring, I mean no potential flaws or unlocked doors you have to worry about. I'm glad there's finally a framework that doesn't eleminate the fun of dealing with unpredictability of its components. I sorry though if the stupidity of my question bothered you. On Fri, Jun 6, 2008 at 10:03 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > wicket validators have been designed to work up to 90% of the time. > there is a heuristic that determines when the validator should stop > the form from submitting and when not. we find that validators that > work 100% of the time are just not as useful. > > -igor > > On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev > <[EMAIL PROTECTED]> wrote: > > Hello, > > > > I'm wondering, how safe is it to use a custom validator to check current > > password of the logged-in user, when he wants to change his password > (say, > > on a profile page)? > > Are there are any potential security issues that can allow user to pass a > > validation? > > > > -- > > sp > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- sp
Re: How reliable Validators are?
> But can you please explain, why wouldn't you use validator for this? I think that's just personal preference. Validators are reusable, while putting a check in onSubmit isn't. Whether that matters depends on your project and the context you do the check in. Eelco - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
wicket validators have been designed to work up to 90% of the time. there is a heuristic that determines when the validator should stop the form from submitting and when not. we find that validators that work 100% of the time are just not as useful. -igor On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev <[EMAIL PROTECTED]> wrote: > Hello, > > I'm wondering, how safe is it to use a custom validator to check current > password of the logged-in user, when he wants to change his password (say, > on a profile page)? > Are there are any potential security issues that can allow user to pass a > validation? > > -- > sp > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How reliable Validators are?
Okay, that is something I expected. But can you please explain, why wouldn't you use validator for this? It seems to be a good way to encapsulate certain functionality and if it can't be bypassed, there're no security issues also. Still, you'd use a check in onSubmit(). I'm just trying to understand if I maybe missing something here :) On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > Well, if your validator doesn't approve the entered password your form will > never accept the submit. > There's no way to bypass the validation. > > I'd prefer to check a password in onSubmit() though - but YMMW. > > Sven > > Sergey Podatelev schrieb: > > Hello, >> >> I'm wondering, how safe is it to use a custom validator to check current >> password of the logged-in user, when he wants to change his password (say, >> on a profile page)? >> Are there are any potential security issues that can allow user to pass a >> validation? >> >> >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- sp
Re: How reliable Validators are?
Well, if your validator doesn't approve the entered password your form will never accept the submit. There's no way to bypass the validation. I'd prefer to check a password in onSubmit() though - but YMMW. Sven Sergey Podatelev schrieb: Hello, I'm wondering, how safe is it to use a custom validator to check current password of the logged-in user, when he wants to change his password (say, on a profile page)? Are there are any potential security issues that can allow user to pass a validation? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]