Thanks guys! The end result looks like this, works fine, and removed a lot of html boilderplate from our templates:
public SecureForm(String id, IModel<T> model) { super(id, model); setMarkupId(id); add(new IFormValidator() { @Override public void validate(Form<?> form) { String submitted = getRequest().getParameter("csrf-protection"); if (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) && !csrfProtection().equals(submitted)) { log.warn("potential csrf attack, submitted value: " + submitted + ", expected: " + csrfProtection()); form.error("wrong csrf protection cookie"); } } @Override public FormComponent<?>[] getDependentFormComponents() { return null; } }); } @Override protected void onComponentTagBody(MarkupStream markupStream, ComponentTag openTag) { getResponse().write(new AppendingStringBuffer("<input type=\"hidden\" name=\"csrf-protection\" value=\"").append(csrfProtection()).append("\" />")); super.onComponentTagBody(markupStream, openTag); } Jörn On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer <joern.zaeffe...@googlemail.com> wrote: > The current component (the HiddenField) checks that the same value > that it started with, is submitted. I'll try to replace that using a > form validator that reads the parameter directly. > > Thanks > Jörn > > On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels > <mbosteels....@gmail.com> wrote: >> When you write it out with oncomponenttagbody it's not part of the >> component hierarchy, it's just rendered markup. >> Once the form is submitted, you can retrieve the value using the servlet >> API. >> What behavior would you want to add on top ? >> >> Maarten >> >> >> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < >> joern.zaeffe...@googlemail.com> wrote: >> >>> How is that going the fix the problem? I'd end up with markup, but no >>> behaviour on top of it. >>> >>> Jörn >>> >>> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg <igor.vaynb...@gmail.com> >>> wrote: >>> > right, so remove that code since you have replaced that component with >>> > pure markup. >>> > >>> > -igor >>> > >>> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer >>> > <joern.zaeffe...@googlemail.com> wrote: >>> >> That was the idea. But Wicket still can't find the component markup >>> >> when looking for it. The form adds this elsewhere: >>> >> >>> >> add(new HiddenField<String>("csrf-protection", new >>> >> Model<String>(csrfProtection())).setRequired(true).add(new >>> >> IValidator<String>() { >>> >> public void validate(IValidatable<String> validatable) { >>> >> log.warn("potential csrf attack, submitted value: " + >>> >> validatable.getValue() + ", expected: " + csrfProtection()); >>> >> validatable.error(new ValidationError().setMessage("wrong >>> csrf >>> >> protection cookie")); >>> >> } >>> >> })); >>> >> >>> >> Jörn >>> >> >>> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg <igor.vaynb...@gmail.com> >>> wrote: >>> >>> if you write it out in oncomponenttagbody then you dont need it in the >>> >>> markupo anymore. >>> >>> >>> >>> -igor >>> >>> >>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >>> >>> <joern.zaeffe...@googlemail.com> wrote: >>> >>>> Hi, >>> >>>> >>> >>>> my application uses a form subclass everywhere for CSRF protection. >>> >>>> Each form needs a hidden field like this: <input type="hidden" >>> >>>> wicket:id="csrf-protection" /> >>> >>>> The wicket component for that is added by the form subclass >>> >>>> (SecureForm) which all other forms in the application extend. >>> >>>> >>> >>>> Currently each form has to include that markup somewhere, producing a >>> >>>> lot of duplication. >>> >>>> >>> >>>> I'm looking for a way to get rid of that duplication. An approach I'm >>> >>>> currently investigating is to generate the markup, similar to how Form >>> >>>> genrates a hidden input it its onComponentTagBody: >>> >>>> >>> >>>> @Override >>> >>>> protected void onComponentTagBody(MarkupStream markupStream, >>> >>>> ComponentTag openTag) { >>> >>>> String nameAndId = get("csrf-protection").getId(); >>> >>>> AppendingStringBuffer buffer = new AppendingStringBuffer( >>> >>>> "<input type=\"hidden\" name=\"").append(nameAndId).append("\" >>> />"); >>> >>>> getResponse().write(buffer); >>> >>>> super.onComponentTagBody(markupStream, openTag); >>> >>>> } >>> >>>> >>> >>>> That doesn't work, Wicket throws an exception of a missing reference >>> >>>> in markup anyway. Likely because this just writes to the response, not >>> >>>> extending the markup. >>> >>>> I also don't see any way to achieve this via MarkupStream or >>> ComponentTag. >>> >>>> >>> >>>> Any ideas? >>> >>>> >>> >>>> Regards >>> >>>> Jörn Zaefferer >>> >>>> >>> >>>> --------------------------------------------------------------------- >>> >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> >>>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>>> >>> >>>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >>> >>> >>> >> >>> >> --------------------------------------------------------------------- >>> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> >> For additional commands, e-mail: users-h...@wicket.apache.org >>> >> >>> >> >>> > >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> > For additional commands, e-mail: users-h...@wicket.apache.org >>> > >>> > >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>> For additional commands, e-mail: users-h...@wicket.apache.org >>> >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org