The password check will probably require an access to your
database/ldap/whatever, so your validator will need a reference to some
singleton objects (service/dao/...).
For my taste this is too heavy for a validator.
Sven
Sergey Podatelev schrieb:
Okay, that is something I expected.
But can you please explain, why wouldn't you use validator for this?
It seems to be a good way to encapsulate certain functionality and if it
can't be bypassed, there're no security issues also.
Still, you'd use a check in onSubmit().
I'm just trying to understand if I maybe missing something here :)
On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
Well, if your validator doesn't approve the entered password your form will
never accept the submit.
There's no way to bypass the validation.
I'd prefer to check a password in onSubmit() though - but YMMW.
Sven
Sergey Podatelev schrieb:
Hello,
I'm wondering, how safe is it to use a custom validator to check current
password of the logged-in user, when he wants to change his password (say,
on a profile page)?
Are there are any potential security issues that can allow user to pass a
validation?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]