thx jörn for sharing ur solution!
i also just found a similar one by uwe schaefer:
http://www.codesmell.org/blog/2008/12/wicket-secureform/
cheers uwe.
On Tue, May 26, 2009 at 2:43 PM, Jörn Zaefferer
<joern.zaeffe...@googlemail.com> wrote:
> Thanks guys! The end result looks like this, works fine, and removed a
> lot of html boilderplate from our templates:
>
> public SecureForm(String id, IModel<T> model) {
> super(id, model);
> setMarkupId(id);
> add(new IFormValidator() {
> �...@override
> public void validate(Form<?> form) {
> String submitted =
> getRequest().getParameter("csrf-protection");
> if
> (Application.get().getConfigurationType().equals(Application.DEPLOYMENT)
> && !csrfProtection().equals(submitted)) {
> log.warn("potential csrf attack, submitted
> value: " + submitted +
> ", expected: " + csrfProtection());
> form.error("wrong csrf protection cookie");
> }
> }
>
> �...@override
> public FormComponent<?>[] getDependentFormComponents() {
> return null;
> }
> });
> }
>
> @Override
> protected void onComponentTagBody(MarkupStream markupStream,
> ComponentTag openTag) {
> getResponse().write(new AppendingStringBuffer("<input
> type=\"hidden\" name=\"csrf-protection\"
> value=\"").append(csrfProtection()).append("\" />"));
> super.onComponentTagBody(markupStream, openTag);
> }
>
> Jörn
>
> On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer
> <joern.zaeffe...@googlemail.com> wrote:
>> The current component (the HiddenField) checks that the same value
>> that it started with, is submitted. I'll try to replace that using a
>> form validator that reads the parameter directly.
>>
>> Thanks
>> Jörn
>>
>> On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels
>> <mbosteels....@gmail.com> wrote:
>>> When you write it out with oncomponenttagbody it's not part of the
>>> component hierarchy, it's just rendered markup.
>>> Once the form is submitted, you can retrieve the value using the servlet
>>> API.
>>> What behavior would you want to add on top ?
>>>
>>> Maarten
>>>
>>>
>>> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer <
>>> joern.zaeffe...@googlemail.com> wrote:
>>>
>>>> How is that going the fix the problem? I'd end up with markup, but no
>>>> behaviour on top of it.
>>>>
>>>> Jörn
>>>>
>>>> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg <igor.vaynb...@gmail.com>
>>>> wrote:
>>>> > right, so remove that code since you have replaced that component with
>>>> > pure markup.
>>>> >
>>>> > -igor
>>>> >
>>>> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer
>>>> > <joern.zaeffe...@googlemail.com> wrote:
>>>> >> That was the idea. But Wicket still can't find the component markup
>>>> >> when looking for it. The form adds this elsewhere:
>>>> >>
>>>> >> add(new HiddenField<String>("csrf-protection", new
>>>> >> Model<String>(csrfProtection())).setRequired(true).add(new
>>>> >> IValidator<String>() {
>>>> >> public void validate(IValidatable<String> validatable) {
>>>> >> log.warn("potential csrf attack, submitted value: " +
>>>> >> validatable.getValue() + ", expected: " + csrfProtection());
>>>> >> validatable.error(new ValidationError().setMessage("wrong
>>>> csrf
>>>> >> protection cookie"));
>>>> >> }
>>>> >> }));
>>>> >>
>>>> >> Jörn
>>>> >>
>>>> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg <igor.vaynb...@gmail.com>
>>>> wrote:
>>>> >>> if you write it out in oncomponenttagbody then you dont need it in the
>>>> >>> markupo anymore.
>>>> >>>
>>>> >>> -igor
>>>> >>>
>>>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer
>>>> >>> <joern.zaeffe...@googlemail.com> wrote:
>>>> >>>> Hi,
>>>> >>>>
>>>> >>>> my application uses a form subclass everywhere for CSRF protection.
>>>> >>>> Each form needs a hidden field like this: <input type="hidden"
>>>> >>>> wicket:id="csrf-protection" />
>>>> >>>> The wicket component for that is added by the form subclass
>>>> >>>> (SecureForm) which all other forms in the application extend.
>>>> >>>>
>>>> >>>> Currently each form has to include that markup somewhere, producing a
>>>> >>>> lot of duplication.
>>>> >>>>
>>>> >>>> I'm looking for a way to get rid of that duplication. An approach I'm
>>>> >>>> currently investigating is to generate the markup, similar to how Form
>>>> >>>> genrates a hidden input it its onComponentTagBody:
>>>> >>>>
>>>> >>>> @Override
>>>> >>>> protected void onComponentTagBody(MarkupStream markupStream,
>>>> >>>> ComponentTag openTag) {
>>>> >>>> String nameAndId = get("csrf-protection").getId();
>>>> >>>> AppendingStringBuffer buffer = new AppendingStringBuffer(
>>>> >>>> "<input type=\"hidden\" name=\"").append(nameAndId).append("\"
>>>> />");
>>>> >>>> getResponse().write(buffer);
>>>> >>>> super.onComponentTagBody(markupStream, openTag);
>>>> >>>> }
>>>> >>>>
>>>> >>>> That doesn't work, Wicket throws an exception of a missing reference
>>>> >>>> in markup anyway. Likely because this just writes to the response, not
>>>> >>>> extending the markup.
>>>> >>>> I also don't see any way to achieve this via MarkupStream or
>>>> ComponentTag.
>>>> >>>>
>>>> >>>> Any ideas?
>>>> >>>>
>>>> >>>> Regards
>>>> >>>> Jörn Zaefferer
>>>> >>>>
>>>> >>>> ---------------------------------------------------------------------
>>>> >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>>> >>>> For additional commands, e-mail: users-h...@wicket.apache.org
>>>> >>>>
>>>> >>>>
>>>> >>>
>>>> >>> ---------------------------------------------------------------------
>>>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>>> >>> For additional commands, e-mail: users-h...@wicket.apache.org
>>>> >>>
>>>> >>>
>>>> >>
>>>> >> ---------------------------------------------------------------------
>>>> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>>> >> For additional commands, e-mail: users-h...@wicket.apache.org
>>>> >>
>>>> >>
>>>> >
>>>> > ---------------------------------------------------------------------
>>>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>>> > For additional commands, e-mail: users-h...@wicket.apache.org
>>>> >
>>>> >
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>>> For additional commands, e-mail: users-h...@wicket.apache.org
>>>>
>>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
