Thanks guys! The end result looks like this, works fine, and removed a
lot of html boilderplate from our templates:
public SecureForm(String id, IModel<T> model) {
super(id, model);
setMarkupId(id);
add(new IFormValidator() {
@Override
public void validate(Form<?> form) {
String submitted =
getRequest().getParameter("csrf-protection");
if
(Application.get().getConfigurationType().equals(Application.DEPLOYMENT)
&& !csrfProtection().equals(submitted)) {
log.warn("potential csrf attack, submitted
value: " + submitted +
", expected: " + csrfProtection());
form.error("wrong csrf protection cookie");
}
}
@Override
public FormComponent<?>[] getDependentFormComponents() {
return null;
}
});
}
@Override
protected void onComponentTagBody(MarkupStream markupStream,
ComponentTag openTag) {
getResponse().write(new AppendingStringBuffer("<input
type=\"hidden\" name=\"csrf-protection\"
value=\"").append(csrfProtection()).append("\" />"));
super.onComponentTagBody(markupStream, openTag);
}
Jörn
On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer
<joern.zaeffe...@googlemail.com> wrote:
> The current component (the HiddenField) checks that the same value
> that it started with, is submitted. I'll try to replace that using a
> form validator that reads the parameter directly.
>
> Thanks
> Jörn
>
> On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels
> <mbosteels....@gmail.com> wrote:
>> When you write it out with oncomponenttagbody it's not part of the
>> component hierarchy, it's just rendered markup.
>> Once the form is submitted, you can retrieve the value using the servlet
>> API.
>> What behavior would you want to add on top ?
>>
>> Maarten
>>
>>
>> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer <
>> joern.zaeffe...@googlemail.com> wrote:
>>
>>> How is that going the fix the problem? I'd end up with markup, but no
>>> behaviour on top of it.
>>>
>>> Jörn
>>>
>>> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg <igor.vaynb...@gmail.com>
>>> wrote:
>>> > right, so remove that code since you have replaced that component with
>>> > pure markup.
>>> >
>>> > -igor
>>> >
>>> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
>>> > <joern.zaeffe...@googlemail.com> wrote:
>>> >> That was the idea. But Wicket still can't find the component markup
>>> >> when looking for it. The form adds this elsewhere:
>>> >>
>>> >> add(new HiddenField<String>("csrf-protection", new
>>> >> Model<String>(csrfProtection())).setRequired(true).add(new
>>> >> IValidator<String>() {
>>> >> public void validate(IValidatable<String> validatable) {
>>> >> log.warn("potential csrf attack, submitted value: " +
>>> >> validatable.getValue() + ", expected: " + csrfProtection());
>>> >> validatable.error(new ValidationError().setMessage("wrong
>>> csrf
>>> >> protection cookie"));
>>> >> }
>>> >> }));
>>> >>
>>> >> Jörn
>>> >>
>>> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg <igor.vaynb...@gmail.com>
>>> wrote:
>>> >>> if you write it out in oncomponenttagbody then you dont need it in the
>>> >>> markupo anymore.
>>> >>>
>>> >>> -igor
>>> >>>
>>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
>>> >>> <joern.zaeffe...@googlemail.com> wrote:
>>> >>>> Hi,
>>> >>>>
>>> >>>> my application uses a form subclass everywhere for CSRF protection.
>>> >>>> Each form needs a hidden field like this: <input type="hidden"
>>> >>>> wicket:id="csrf-protection" />
>>> >>>> The wicket component for that is added by the form subclass
>>> >>>> (SecureForm) which all other forms in the application extend.
>>> >>>>
>>> >>>> Currently each form has to include that markup somewhere, producing a
>>> >>>> lot of duplication.
>>> >>>>
>>> >>>> I'm looking for a way to get rid of that duplication. An approach I'm
>>> >>>> currently investigating is to generate the markup, similar to how Form
>>> >>>> genrates a hidden input it its onComponentTagBody:
>>> >>>>
>>> >>>> @Override
>>> >>>> protected void onComponentTagBody(MarkupStream markupStream,
>>> >>>> ComponentTag openTag) {
>>> >>>> String nameAndId = get("csrf-protection").getId();
>>> >>>> AppendingStringBuffer buffer = new AppendingStringBuffer(
>>> >>>> "<input type=\"hidden\" name=\"").append(nameAndId).append("\"
>>> />");
>>> >>>> getResponse().write(buffer);
>>> >>>> super.onComponentTagBody(markupStream, openTag);
>>> >>>> }
>>> >>>>
>>> >>>> That doesn't work, Wicket throws an exception of a missing reference
>>> >>>> in markup anyway. Likely because this just writes to the response, not
>>> >>>> extending the markup.
>>> >>>> I also don't see any way to achieve this via MarkupStream or
>>> ComponentTag.
>>> >>>>
>>> >>>> Any ideas?
>>> >>>>
>>> >>>> Regards
>>> >>>> Jörn Zaefferer
>>> >>>>
>>> >>>> ---------------------------------------------------------------------
>>> >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> >>>> For additional commands, e-mail: users-h...@wicket.apache.org
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> ---------------------------------------------------------------------
>>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> >>> For additional commands, e-mail: users-h...@wicket.apache.org
>>> >>>
>>> >>>
>>> >>
>>> >> ---------------------------------------------------------------------
>>> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> >> For additional commands, e-mail: users-h...@wicket.apache.org
>>> >>
>>> >>
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> > For additional commands, e-mail: users-h...@wicket.apache.org
>>> >
>>> >
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> For additional commands, e-mail: users-h...@wicket.apache.org
>>>
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
