Ajax requests, like non-bookmarkable links within Wicket, are inherently secure through the fact that they are session-relative. That is, unless you specifically try to make it less secure, it is secure by default in that I can not just twiddle with an ID field in the request URL to edit an entity with a different ID.
However, many ajax requests may submit form data. And, of course, all such data DOES need to be checked - which should be accomplished automatically if you have added validation to your form fields. Again, the URL is session-relative, and can't be emailed to someone else for them to use or fiddled with to create an unexpected request. But the data itself that is submitted must always be verified. -- Jeremy Thomerson http://www.wickettraining.com On Thu, May 7, 2009 at 5:22 PM, Douglas Ferguson <[email protected]> wrote: > It just dawned on me that most users will protect their url parameters to > make sure that end users can't fiddle with parameters and see inappropriate > data, however, is it conceivable to issue ajax requests to get an app to do > something it shouldn't? > > If so, any tips on how to build a request that would cause an ajax response? > Is important to protect all ajax calls? > > Dougals > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
