Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just
about two lines:
protected void onValidate(validatable) {
if (((MyApplication)
Application.get()).getUserDao().verifyPassword(userId, password) == false) {
error(validatable);
}
}
On Fri, Jun 6, 2008 at 11:52 PM, Igor Vaynberg <[EMAIL PROTECTED]>
wrote:
> what exactly is "heavy" ?
>
> a validator accessing the database? why is that heavy?
>
> it keeps a reference to the object that does the database check? why
> is that heavy? there are plenty of things to make the lookup
> lightweight such as wicket-spring and salve.
>
> what exactly is too heavy about something like a UserNameValidator
> that does everything to validate a username?
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
> > The password check will probably require an access to your
> > database/ldap/whatever, so your validator will need a reference to some
> > singleton objects (service/dao/...).
> >
> > For my taste this is too heavy for a validator.
> >
> > Sven
> >
> > Sergey Podatelev schrieb:
> >>
> >> Okay, that is something I expected.
> >> But can you please explain, why wouldn't you use validator for this?
> >> It seems to be a good way to encapsulate certain functionality and if it
> >> can't be bypassed, there're no security issues also.
> >> Still, you'd use a check in onSubmit().
> >>
> >> I'm just trying to understand if I maybe missing something here :)
> >>
> >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote:
> >>
> >>
> >>>
> >>> Well, if your validator doesn't approve the entered password your form
> >>> will
> >>> never accept the submit.
> >>> There's no way to bypass the validation.
> >>>
> >>> I'd prefer to check a password in onSubmit() though - but YMMW.
> >>>
> >>> Sven
> >>>
> >>> Sergey Podatelev schrieb:
> >>>
> >>> Hello,
> >>>
> >>>>
> >>>> I'm wondering, how safe is it to use a custom validator to check
> current
> >>>> password of the logged-in user, when he wants to change his password
> >>>> (say,
> >>>> on a profile page)?
> >>>> Are there are any potential security issues that can allow user to
> pass
> >>>> a
> >>>> validation?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
sp
