+1 that's a good proposal
Sven
On 19.10.20 12:33, Maxim Solodovnik wrote:
+1
On Mon, 19 Oct 2020 at 17:28, Martin Grigorov <mgrigo...@apache.org> wrote:
Hi Eric,
You can implement it yourself:
In #onUpdate(AjaxRequestTarget) start with:
AjaxRequestAttributes attrs = getAttributes();
String desiredMethod = attrs.getMethod().toString();
String actualMethod = ((HttpServletRequest)
RequestCycle.get().getRequest().getContainerRequest()).getMethod();
if (!desiredMethod.equalsIgnoreCase(actualMethod)) {....}
@devs: What do you think about adding the above to
AjaxFormComponentUpdatingBehavior#onEvent() ?
We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior that is
similar to one in Form. If it returns ABORT then we will execute the code
above. If it returns CONTINUE (the default) then no need to calculate the
AjaxRequestAttributes
On Sun, Oct 18, 2020 at 11:40 PM Sven Meier <s...@meiers.net> wrote:
Hi,
with AjaxFormComponentUpdatingBehavior only a single component is
processed and not the complete Form.
So method mismatches are not checked.
Have fun
Sven
On 17.10.20 14:34, Eric Hamel wrote:
Looking at our implementation, we are using an
AjaxFormComponentUpdatingBehavior to trigger our data save.
Even though we do a have parent form the onSubmit is never called.
Is there an alternative to the onMethodMismatch ?
—————————
Eric Hamel
Senior Project Manager
Albany Information Technology Group
C. 518-698-4503
On Oct 16, 2020, at 4:32 PM, Martin Grigorov <mgrigo...@apache.org>
wrote:
On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com>
wrote:
I apologize in advance for my vague question. Our Wicket 8 based
application was submitted to pen testing from our EISO. While I
understand
the finding, I'm not 100% sure I understand the problem nor do I know
how
to address it.
In one of our complex forms that uses Ajax Calls to automatically
update
the DB when the fields lose focus, the tester made the following
remark:
Applications accepts GET requests for coded POST Ajax calls –
parameters
can be passed in URL
It appears that through his "fuzzer", even though our requests are
marked
as POST, it still processes GET requests. Is there a way to enforce
POST ?
Is there any way to mitigate this issue globally from a configuration
standpoint ?
See Form#onMethodMismatch()
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
