what exactly is "heavy" ? a validator accessing the database? why is that heavy?
it keeps a reference to the object that does the database check? why is that heavy? there are plenty of things to make the lookup lightweight such as wicket-spring and salve. what exactly is too heavy about something like a UserNameValidator that does everything to validate a username? -igor On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > The password check will probably require an access to your > database/ldap/whatever, so your validator will need a reference to some > singleton objects (service/dao/...). > > For my taste this is too heavy for a validator. > > Sven > > Sergey Podatelev schrieb: >> >> Okay, that is something I expected. >> But can you please explain, why wouldn't you use validator for this? >> It seems to be a good way to encapsulate certain functionality and if it >> can't be bypassed, there're no security issues also. >> Still, you'd use a check in onSubmit(). >> >> I'm just trying to understand if I maybe missing something here :) >> >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: >> >> >>> >>> Well, if your validator doesn't approve the entered password your form >>> will >>> never accept the submit. >>> There's no way to bypass the validation. >>> >>> I'd prefer to check a password in onSubmit() though - but YMMW. >>> >>> Sven >>> >>> Sergey Podatelev schrieb: >>> >>> Hello, >>> >>>> >>>> I'm wondering, how safe is it to use a custom validator to check current >>>> password of the logged-in user, when he wants to change his password >>>> (say, >>>> on a profile page)? >>>> Are there are any potential security issues that can allow user to pass >>>> a >>>> validation? >>>> >>>> >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
