Looking at our implementation, we are using an 
AjaxFormComponentUpdatingBehavior to trigger our data save. 

Even though we do a have parent form the onSubmit is never called. 

Is there an alternative to the onMethodMismatch ?

—————————
Eric Hamel
Senior Project Manager
Albany Information Technology Group
C. 518-698-4503

> On Oct 16, 2020, at 4:32 PM, Martin Grigorov <mgrigo...@apache.org> wrote:
> 
> On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com> wrote:
> 
>> I apologize in advance for my vague question. Our Wicket 8 based
>> application was submitted to pen testing from our EISO. While I understand
>> the finding, I'm not 100% sure I understand the problem nor do I know how
>> to address it.
>> 
>> In one of our complex forms that uses Ajax Calls to automatically update
>> the DB when the fields lose focus, the tester made the following remark:
>> 
>> Applications accepts GET requests for coded POST Ajax calls – parameters
>> can be passed in URL
>> 
>> It appears that through his "fuzzer", even though our requests are marked
>> as POST, it still processes GET requests. Is there a way to enforce POST ?
>> Is there any way to mitigate this issue globally from a configuration
>> standpoint ?
>> 
> 
> 
> See Form#onMethodMismatch()
> 
>> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to