+1
On Mon, 19 Oct 2020 at 17:28, Martin Grigorov <mgrigo...@apache.org> wrote:
> Hi Eric,
>
> You can implement it yourself:
>
> In #onUpdate(AjaxRequestTarget) start with:
>
> AjaxRequestAttributes attrs = getAttributes();
> String desiredMethod = attrs.getMethod().toString();
> String actualMethod = ((HttpServletRequest)
> RequestCycle.get().getRequest().getContainerRequest()).getMethod();
> if (!desiredMethod.equalsIgnoreCase(actualMethod)) {....}
>
> @devs: What do you think about adding the above to
> AjaxFormComponentUpdatingBehavior#onEvent() ?
> We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior that is
> similar to one in Form. If it returns ABORT then we will execute the code
> above. If it returns CONTINUE (the default) then no need to calculate the
> AjaxRequestAttributes
>
>
> On Sun, Oct 18, 2020 at 11:40 PM Sven Meier <s...@meiers.net> wrote:
>
> > Hi,
> >
> > with AjaxFormComponentUpdatingBehavior only a single component is
> > processed and not the complete Form.
> > So method mismatches are not checked.
> >
> > Have fun
> > Sven
> >
> >
> > On 17.10.20 14:34, Eric Hamel wrote:
> > > Looking at our implementation, we are using an
> > AjaxFormComponentUpdatingBehavior to trigger our data save.
> > >
> > > Even though we do a have parent form the onSubmit is never called.
> > >
> > > Is there an alternative to the onMethodMismatch ?
> > >
> > > —————————
> > > Eric Hamel
> > > Senior Project Manager
> > > Albany Information Technology Group
> > > C. 518-698-4503
> > >
> > >> On Oct 16, 2020, at 4:32 PM, Martin Grigorov <mgrigo...@apache.org>
> > wrote:
> > >>
> > >> On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com>
> wrote:
> > >>
> > >>> I apologize in advance for my vague question. Our Wicket 8 based
> > >>> application was submitted to pen testing from our EISO. While I
> > understand
> > >>> the finding, I'm not 100% sure I understand the problem nor do I know
> > how
> > >>> to address it.
> > >>>
> > >>> In one of our complex forms that uses Ajax Calls to automatically
> > update
> > >>> the DB when the fields lose focus, the tester made the following
> > remark:
> > >>>
> > >>> Applications accepts GET requests for coded POST Ajax calls –
> > parameters
> > >>> can be passed in URL
> > >>>
> > >>> It appears that through his "fuzzer", even though our requests are
> > marked
> > >>> as POST, it still processes GET requests. Is there a way to enforce
> > POST ?
> > >>> Is there any way to mitigate this issue globally from a configuration
> > >>> standpoint ?
> > >>>
> > >>
> > >> See Form#onMethodMismatch()
> > >>
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > > For additional commands, e-mail: users-h...@wicket.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
> >
>
--
Best regards,
Maxim
