Re: Apache Wicket - Enforcing POST on Ajax calls
https://issues.apache.org/jira/browse/WICKET-6844 I've decided to implement it at AbstractDefaultAjaxBehavior so almost all Ajax behaviors could make use of it. On Mon, Oct 19, 2020 at 8:21 PM Sven Meier wrote: > +1 that's a good proposal > > Sven > > > On 19.10.20 12:33, Maxim Solodovnik wrote: > > +1 > > > > On Mon, 19 Oct 2020 at 17:28, Martin Grigorov > wrote: > > > >> Hi Eric, > >> > >> You can implement it yourself: > >> > >> In #onUpdate(AjaxRequestTarget) start with: > >> > >> AjaxRequestAttributes attrs = getAttributes(); > >> String desiredMethod = attrs.getMethod().toString(); > >> String actualMethod = ((HttpServletRequest) > >> RequestCycle.get().getRequest().getContainerRequest()).getMethod(); > >> if (!desiredMethod.equalsIgnoreCase(actualMethod)) {} > >> > >> @devs: What do you think about adding the above to > >> AjaxFormComponentUpdatingBehavior#onEvent() ? > >> We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior > that is > >> similar to one in Form. If it returns ABORT then we will execute the > code > >> above. If it returns CONTINUE (the default) then no need to calculate > the > >> AjaxRequestAttributes > >> > >> > >> On Sun, Oct 18, 2020 at 11:40 PM Sven Meier wrote: > >> > >>> Hi, > >>> > >>> with AjaxFormComponentUpdatingBehavior only a single component is > >>> processed and not the complete Form. > >>> So method mismatches are not checked. > >>> > >>> Have fun > >>> Sven > >>> > >>> > >>> On 17.10.20 14:34, Eric Hamel wrote: > Looking at our implementation, we are using an > >>> AjaxFormComponentUpdatingBehavior to trigger our data save. > Even though we do a have parent form the onSubmit is never called. > > Is there an alternative to the onMethodMismatch ? > > — > Eric Hamel > Senior Project Manager > Albany Information Technology Group > C. 518-698-4503 > > > On Oct 16, 2020, at 4:32 PM, Martin Grigorov > >>> wrote: > > On Fri, Oct 16, 2020, 23:27 Eric Hamel > >> wrote: > >> I apologize in advance for my vague question. Our Wicket 8 based > >> application was submitted to pen testing from our EISO. While I > >>> understand > >> the finding, I'm not 100% sure I understand the problem nor do I > know > >>> how > >> to address it. > >> > >> In one of our complex forms that uses Ajax Calls to automatically > >>> update > >> the DB when the fields lose focus, the tester made the following > >>> remark: > >> Applications accepts GET requests for coded POST Ajax calls – > >>> parameters > >> can be passed in URL > >> > >> It appears that through his "fuzzer", even though our requests are > >>> marked > >> as POST, it still processes GET requests. Is there a way to enforce > >>> POST ? > >> Is there any way to mitigate this issue globally from a > configuration > >> standpoint ? > >> > > See Form#onMethodMismatch() > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > >>> - > >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>> For additional commands, e-mail: users-h...@wicket.apache.org > >>> > >>> > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Apache Wicket - Enforcing POST on Ajax calls
+1 that's a good proposal Sven On 19.10.20 12:33, Maxim Solodovnik wrote: +1 On Mon, 19 Oct 2020 at 17:28, Martin Grigorov wrote: Hi Eric, You can implement it yourself: In #onUpdate(AjaxRequestTarget) start with: AjaxRequestAttributes attrs = getAttributes(); String desiredMethod = attrs.getMethod().toString(); String actualMethod = ((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest()).getMethod(); if (!desiredMethod.equalsIgnoreCase(actualMethod)) {} @devs: What do you think about adding the above to AjaxFormComponentUpdatingBehavior#onEvent() ? We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior that is similar to one in Form. If it returns ABORT then we will execute the code above. If it returns CONTINUE (the default) then no need to calculate the AjaxRequestAttributes On Sun, Oct 18, 2020 at 11:40 PM Sven Meier wrote: Hi, with AjaxFormComponentUpdatingBehavior only a single component is processed and not the complete Form. So method mismatches are not checked. Have fun Sven On 17.10.20 14:34, Eric Hamel wrote: Looking at our implementation, we are using an AjaxFormComponentUpdatingBehavior to trigger our data save. Even though we do a have parent form the onSubmit is never called. Is there an alternative to the onMethodMismatch ? — Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 On Oct 16, 2020, at 4:32 PM, Martin Grigorov wrote: On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: I apologize in advance for my vague question. Our Wicket 8 based application was submitted to pen testing from our EISO. While I understand the finding, I'm not 100% sure I understand the problem nor do I know how to address it. In one of our complex forms that uses Ajax Calls to automatically update the DB when the fields lose focus, the tester made the following remark: Applications accepts GET requests for coded POST Ajax calls – parameters can be passed in URL It appears that through his "fuzzer", even though our requests are marked as POST, it still processes GET requests. Is there a way to enforce POST ? Is there any way to mitigate this issue globally from a configuration standpoint ? See Form#onMethodMismatch() - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Wicket - Enforcing POST on Ajax calls
+1 On Mon, 19 Oct 2020 at 17:28, Martin Grigorov wrote: > Hi Eric, > > You can implement it yourself: > > In #onUpdate(AjaxRequestTarget) start with: > > AjaxRequestAttributes attrs = getAttributes(); > String desiredMethod = attrs.getMethod().toString(); > String actualMethod = ((HttpServletRequest) > RequestCycle.get().getRequest().getContainerRequest()).getMethod(); > if (!desiredMethod.equalsIgnoreCase(actualMethod)) {} > > @devs: What do you think about adding the above to > AjaxFormComponentUpdatingBehavior#onEvent() ? > We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior that is > similar to one in Form. If it returns ABORT then we will execute the code > above. If it returns CONTINUE (the default) then no need to calculate the > AjaxRequestAttributes > > > On Sun, Oct 18, 2020 at 11:40 PM Sven Meier wrote: > > > Hi, > > > > with AjaxFormComponentUpdatingBehavior only a single component is > > processed and not the complete Form. > > So method mismatches are not checked. > > > > Have fun > > Sven > > > > > > On 17.10.20 14:34, Eric Hamel wrote: > > > Looking at our implementation, we are using an > > AjaxFormComponentUpdatingBehavior to trigger our data save. > > > > > > Even though we do a have parent form the onSubmit is never called. > > > > > > Is there an alternative to the onMethodMismatch ? > > > > > > — > > > Eric Hamel > > > Senior Project Manager > > > Albany Information Technology Group > > > C. 518-698-4503 > > > > > >> On Oct 16, 2020, at 4:32 PM, Martin Grigorov > > wrote: > > >> > > >> On Fri, Oct 16, 2020, 23:27 Eric Hamel > wrote: > > >> > > >>> I apologize in advance for my vague question. Our Wicket 8 based > > >>> application was submitted to pen testing from our EISO. While I > > understand > > >>> the finding, I'm not 100% sure I understand the problem nor do I know > > how > > >>> to address it. > > >>> > > >>> In one of our complex forms that uses Ajax Calls to automatically > > update > > >>> the DB when the fields lose focus, the tester made the following > > remark: > > >>> > > >>> Applications accepts GET requests for coded POST Ajax calls – > > parameters > > >>> can be passed in URL > > >>> > > >>> It appears that through his "fuzzer", even though our requests are > > marked > > >>> as POST, it still processes GET requests. Is there a way to enforce > > POST ? > > >>> Is there any way to mitigate this issue globally from a configuration > > >>> standpoint ? > > >>> > > >> > > >> See Form#onMethodMismatch() > > >> > > > - > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > -- Best regards, Maxim
Re: Apache Wicket - Enforcing POST on Ajax calls
Hi Eric, You can implement it yourself: In #onUpdate(AjaxRequestTarget) start with: AjaxRequestAttributes attrs = getAttributes(); String desiredMethod = attrs.getMethod().toString(); String actualMethod = ((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest()).getMethod(); if (!desiredMethod.equalsIgnoreCase(actualMethod)) {} @devs: What do you think about adding the above to AjaxFormComponentUpdatingBehavior#onEvent() ? We can add #onMethodMismatch() to AjaxFormComponentUpdatingBehavior that is similar to one in Form. If it returns ABORT then we will execute the code above. If it returns CONTINUE (the default) then no need to calculate the AjaxRequestAttributes On Sun, Oct 18, 2020 at 11:40 PM Sven Meier wrote: > Hi, > > with AjaxFormComponentUpdatingBehavior only a single component is > processed and not the complete Form. > So method mismatches are not checked. > > Have fun > Sven > > > On 17.10.20 14:34, Eric Hamel wrote: > > Looking at our implementation, we are using an > AjaxFormComponentUpdatingBehavior to trigger our data save. > > > > Even though we do a have parent form the onSubmit is never called. > > > > Is there an alternative to the onMethodMismatch ? > > > > — > > Eric Hamel > > Senior Project Manager > > Albany Information Technology Group > > C. 518-698-4503 > > > >> On Oct 16, 2020, at 4:32 PM, Martin Grigorov > wrote: > >> > >> On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > >> > >>> I apologize in advance for my vague question. Our Wicket 8 based > >>> application was submitted to pen testing from our EISO. While I > understand > >>> the finding, I'm not 100% sure I understand the problem nor do I know > how > >>> to address it. > >>> > >>> In one of our complex forms that uses Ajax Calls to automatically > update > >>> the DB when the fields lose focus, the tester made the following > remark: > >>> > >>> Applications accepts GET requests for coded POST Ajax calls – > parameters > >>> can be passed in URL > >>> > >>> It appears that through his "fuzzer", even though our requests are > marked > >>> as POST, it still processes GET requests. Is there a way to enforce > POST ? > >>> Is there any way to mitigate this issue globally from a configuration > >>> standpoint ? > >>> > >> > >> See Form#onMethodMismatch() > >> > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Apache Wicket - Enforcing POST on Ajax calls
Hi, with AjaxFormComponentUpdatingBehavior only a single component is processed and not the complete Form. So method mismatches are not checked. Have fun Sven On 17.10.20 14:34, Eric Hamel wrote: Looking at our implementation, we are using an AjaxFormComponentUpdatingBehavior to trigger our data save. Even though we do a have parent form the onSubmit is never called. Is there an alternative to the onMethodMismatch ? — Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 On Oct 16, 2020, at 4:32 PM, Martin Grigorov wrote: On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: I apologize in advance for my vague question. Our Wicket 8 based application was submitted to pen testing from our EISO. While I understand the finding, I'm not 100% sure I understand the problem nor do I know how to address it. In one of our complex forms that uses Ajax Calls to automatically update the DB when the fields lose focus, the tester made the following remark: Applications accepts GET requests for coded POST Ajax calls – parameters can be passed in URL It appears that through his "fuzzer", even though our requests are marked as POST, it still processes GET requests. Is there a way to enforce POST ? Is there any way to mitigate this issue globally from a configuration standpoint ? See Form#onMethodMismatch() - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Wicket - Enforcing POST on Ajax calls
Looking at our implementation, we are using an AjaxFormComponentUpdatingBehavior to trigger our data save. Even though we do a have parent form the onSubmit is never called. Is there an alternative to the onMethodMismatch ? — Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 > On Oct 16, 2020, at 4:32 PM, Martin Grigorov wrote: > > On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > >> I apologize in advance for my vague question. Our Wicket 8 based >> application was submitted to pen testing from our EISO. While I understand >> the finding, I'm not 100% sure I understand the problem nor do I know how >> to address it. >> >> In one of our complex forms that uses Ajax Calls to automatically update >> the DB when the fields lose focus, the tester made the following remark: >> >> Applications accepts GET requests for coded POST Ajax calls – parameters >> can be passed in URL >> >> It appears that through his "fuzzer", even though our requests are marked >> as POST, it still processes GET requests. Is there a way to enforce POST ? >> Is there any way to mitigate this issue globally from a configuration >> standpoint ? >> > > > See Form#onMethodMismatch() > >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Wicket - Enforcing POST on Ajax calls
Thanks I’ll try that ! — Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 > On Oct 16, 2020, at 4:32 PM, Martin Grigorov wrote: > > On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > >> I apologize in advance for my vague question. Our Wicket 8 based >> application was submitted to pen testing from our EISO. While I understand >> the finding, I'm not 100% sure I understand the problem nor do I know how >> to address it. >> >> In one of our complex forms that uses Ajax Calls to automatically update >> the DB when the fields lose focus, the tester made the following remark: >> >> Applications accepts GET requests for coded POST Ajax calls – parameters >> can be passed in URL >> >> It appears that through his "fuzzer", even though our requests are marked >> as POST, it still processes GET requests. Is there a way to enforce POST ? >> Is there any way to mitigate this issue globally from a configuration >> standpoint ? >> > > > See Form#onMethodMismatch() > >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Wicket - Enforcing POST on Ajax calls
On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > I apologize in advance for my vague question. Our Wicket 8 based > application was submitted to pen testing from our EISO. While I understand > the finding, I'm not 100% sure I understand the problem nor do I know how > to address it. > > In one of our complex forms that uses Ajax Calls to automatically update > the DB when the fields lose focus, the tester made the following remark: > > Applications accepts GET requests for coded POST Ajax calls – parameters > can be passed in URL > > It appears that through his "fuzzer", even though our requests are marked > as POST, it still processes GET requests. Is there a way to enforce POST ? > Is there any way to mitigate this issue globally from a configuration > standpoint ? > See Form#onMethodMismatch() >