Would something like this work?
public class SynchTokenField extends HiddenField
{
private String token;
public SynchTokenField(String id)
{
super(id, new PropertyModel(new ValueMap(), "token"));
setRequired(true);
add(new AbstractValidator()
{
protected void onValidate(IValidatable iValidatable)
{
String submittedToken = iValidatable.getValue().toString();
if (!submittedToken.equals(token))
{
error(iValidatable);
}
}
});
}
protected final void onComponentTag(final ComponentTag tag)
{
super.onComponentTag(tag);
token = UUID.randomUUID().toString();
tag.put("value", token);
}
}
Here, all you'd have to do is add one of these puppies to your form
and it'll automatically validate itself.
On Tue, Mar 25, 2008 at 10:35 AM, Johan Compagner <[EMAIL PROTECTED]> wrote:
> do you have a good patch then?
>
> And are you saying that all double submits are then not possible anymore?
>
> Also when i submit then think hmm thats wrong back button change something
> and submit again?
>
>
>
>
>
> On Tue, Mar 25, 2008 at 3:25 PM, laz <[EMAIL PROTECTED]> wrote:
>
> >
> > Does anyone else feel that this would be generically useful to have as a
> > part
> > of Wicket? Not only does it prevent double submits, but it also is a
> > simple
> > safeguard against cross-site request forgery (see
> > http://en.wikipedia.org/wiki/Cross-site_request_forgery for a summary).
> >
> > The one missing piece from your solution is synchronization. There is the
> > slightest possibility that the second submit of a double submit could
> > enter
> > onSubmit before the token is reset. I am not yet sure what would be the
> > best
> > object to synchronize on, possibly the session id?
> >
> >
> >
> > hillj2 wrote:
> > >
> > > Here's a solution that SEEMS to be working. It incorporates our
> > solution
> > > to the double submit problem that we used on our JSP's. It didn't
> > appear
> > > to be working for me at first, but seems to be now. (It does use the
> > old
> > > servlet request/session objects, but this may change once all our old
> > code
> > > is upgraded to wicket.)
> > >
> > > ...
> > >
> > > Like I said, for now this appears to be working. I just extend all my
> > > forms from this class and implement onSubmitted() with the same code I
> > > previously put in onSubmit(). The key is putting matching unique
> > strings
> > > in session and in the page instance. On submit, those string should
> > > match, at which point, the string in session is cleared and the form is
> > > processed as normal. If another submit comes in, the string in session
> > > has been cleared so it doesn't match the string svaed in the page
> > > instance. In the case where setResponsePage is not called,
> > onBeforeRender
> > > resets the token string, so submitting from the refreshed page won't
> > > register as an error.
> > >
> > > Our JSP version of this involves putting the token string in session and
> > > also saving a copy to a hidden field on the JSP page. Which I think is
> > > similar (although maybe a bit more complex) to what Martijn was
> > > suggesting.
> > >
> > > Thanks for all you suggestions.
> > >
> > > Joel
> > >
> >
> > --
> > View this message in context:
> > http://www.nabble.com/Double-submit-problem-tp15957979p16275106.html
> > Sent from the Wicket - User mailing list archive at Nabble.com.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
