Re: Generate markup for hidden framework form field?
janneru schrieb: i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/ cheers uwe. note that it is just a copy of what mighty igor posted here :) i´m using it in production a lot. thx again, igor. cu uwe - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
thx jörn for sharing ur solution!
i also just found a similar one by uwe schaefer:
http://www.codesmell.org/blog/2008/12/wicket-secureform/
cheers uwe.
On Tue, May 26, 2009 at 2:43 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Thanks guys! The end result looks like this, works fine, and removed a
lot of html boilderplate from our templates:
public SecureForm(String id, IModelT model) {
super(id, model);
setMarkupId(id);
add(new IFormValidator() {
�...@override
public void validate(Form? form) {
String submitted =
getRequest().getParameter(csrf-protection);
if
(Application.get().getConfigurationType().equals(Application.DEPLOYMENT)
!csrfProtection().equals(submitted)) {
log.warn(potential csrf attack, submitted
value: + submitted +
, expected: + csrfProtection());
form.error(wrong csrf protection cookie);
}
}
�...@override
public FormComponent?[] getDependentFormComponents() {
return null;
}
});
}
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
getResponse().write(new AppendingStringBuffer(input
type=\hidden\ name=\csrf-protection\
value=\).append(csrfProtection()).append(\ /));
super.onComponentTagBody(markupStream, openTag);
}
Jörn
On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
The current component (the HiddenField) checks that the same value
that it started with, is submitted. I'll try to replace that using a
form validator that reads the parameter directly.
Thanks
Jörn
On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels
mbosteels@gmail.com wrote:
When you write it out with oncomponenttagbody it's not part of the
component hierarchy, it's just rendered markup.
Once the form is submitted, you can retrieve the value using the servlet
API.
What behavior would you want to add on top ?
Maarten
On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
How is that going the fix the problem? I'd end up with markup, but no
behaviour on top of it.
Jörn
On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong
csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\
/);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or
ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
How is that going the fix the problem? I'd end up with markup, but no
behaviour on top of it.
Jörn
On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote:
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\ /);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
When you write it out with oncomponenttagbody it's not part of the
component hierarchy, it's just rendered markup.
Once the form is submitted, you can retrieve the value using the servlet
API.
What behavior would you want to add on top ?
Maarten
On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
How is that going the fix the problem? I'd end up with markup, but no
behaviour on top of it.
Jörn
On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong
csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\
/);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or
ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
The current component (the HiddenField) checks that the same value
that it started with, is submitted. I'll try to replace that using a
form validator that reads the parameter directly.
Thanks
Jörn
On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels
mbosteels@gmail.com wrote:
When you write it out with oncomponenttagbody it's not part of the
component hierarchy, it's just rendered markup.
Once the form is submitted, you can retrieve the value using the servlet
API.
What behavior would you want to add on top ?
Maarten
On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
How is that going the fix the problem? I'd end up with markup, but no
behaviour on top of it.
Jörn
On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong
csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\
/);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or
ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
Thanks guys! The end result looks like this, works fine, and removed a
lot of html boilderplate from our templates:
public SecureForm(String id, IModelT model) {
super(id, model);
setMarkupId(id);
add(new IFormValidator() {
@Override
public void validate(Form? form) {
String submitted =
getRequest().getParameter(csrf-protection);
if
(Application.get().getConfigurationType().equals(Application.DEPLOYMENT)
!csrfProtection().equals(submitted)) {
log.warn(potential csrf attack, submitted
value: + submitted +
, expected: + csrfProtection());
form.error(wrong csrf protection cookie);
}
}
@Override
public FormComponent?[] getDependentFormComponents() {
return null;
}
});
}
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
getResponse().write(new AppendingStringBuffer(input
type=\hidden\ name=\csrf-protection\
value=\).append(csrfProtection()).append(\ /));
super.onComponentTagBody(markupStream, openTag);
}
Jörn
On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
The current component (the HiddenField) checks that the same value
that it started with, is submitted. I'll try to replace that using a
form validator that reads the parameter directly.
Thanks
Jörn
On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels
mbosteels@gmail.com wrote:
When you write it out with oncomponenttagbody it's not part of the
component hierarchy, it's just rendered markup.
Once the form is submitted, you can retrieve the value using the servlet
API.
What behavior would you want to add on top ?
Maarten
On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
How is that going the fix the problem? I'd end up with markup, but no
behaviour on top of it.
Jörn
On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong
csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\
/);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or
ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
Generate markup for hidden framework form field?
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\ /);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\ /);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\ /);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Generate markup for hidden framework form field?
right, so remove that code since you have replaced that component with
pure markup.
-igor
On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
That was the idea. But Wicket still can't find the component markup
when looking for it. The form adds this elsewhere:
add(new HiddenFieldString(csrf-protection, new
ModelString(csrfProtection())).setRequired(true).add(new
IValidatorString() {
public void validate(IValidatableString validatable) {
log.warn(potential csrf attack, submitted value: +
validatable.getValue() + , expected: + csrfProtection());
validatable.error(new ValidationError().setMessage(wrong csrf
protection cookie));
}
}));
Jörn
On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg igor.vaynb...@gmail.com
wrote:
if you write it out in oncomponenttagbody then you dont need it in the
markupo anymore.
-igor
On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
joern.zaeffe...@googlemail.com wrote:
Hi,
my application uses a form subclass everywhere for CSRF protection.
Each form needs a hidden field like this: input type=hidden
wicket:id=csrf-protection /
The wicket component for that is added by the form subclass
(SecureForm) which all other forms in the application extend.
Currently each form has to include that markup somewhere, producing a
lot of duplication.
I'm looking for a way to get rid of that duplication. An approach I'm
currently investigating is to generate the markup, similar to how Form
genrates a hidden input it its onComponentTagBody:
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
String nameAndId = get(csrf-protection).getId();
AppendingStringBuffer buffer = new AppendingStringBuffer(
input type=\hidden\ name=\).append(nameAndId).append(\ /);
getResponse().write(buffer);
super.onComponentTagBody(markupStream, openTag);
}
That doesn't work, Wicket throws an exception of a missing reference
in markup anyway. Likely because this just writes to the response, not
extending the markup.
I also don't see any way to achieve this via MarkupStream or ComponentTag.
Any ideas?
Regards
Jörn Zaefferer
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
