thx jörn for sharing ur solution! i also just found a similar one by uwe schaefer: http://www.codesmell.org/blog/2008/12/wicket-secureform/
cheers uwe. On Tue, May 26, 2009 at 2:43 PM, Jörn Zaefferer <joern.zaeffe...@googlemail.com> wrote: > Thanks guys! The end result looks like this, works fine, and removed a > lot of html boilderplate from our templates: > > public SecureForm(String id, IModel<T> model) { > super(id, model); > setMarkupId(id); > add(new IFormValidator() { > �...@override > public void validate(Form<?> form) { > String submitted = > getRequest().getParameter("csrf-protection"); > if > (Application.get().getConfigurationType().equals(Application.DEPLOYMENT) > && !csrfProtection().equals(submitted)) { > log.warn("potential csrf attack, submitted > value: " + submitted + > ", expected: " + csrfProtection()); > form.error("wrong csrf protection cookie"); > } > } > > �...@override > public FormComponent<?>[] getDependentFormComponents() { > return null; > } > }); > } > > @Override > protected void onComponentTagBody(MarkupStream markupStream, > ComponentTag openTag) { > getResponse().write(new AppendingStringBuffer("<input > type=\"hidden\" name=\"csrf-protection\" > value=\"").append(csrfProtection()).append("\" />")); > super.onComponentTagBody(markupStream, openTag); > } > > Jörn > > On Tue, May 26, 2009 at 2:23 PM, Jörn Zaefferer > <joern.zaeffe...@googlemail.com> wrote: >> The current component (the HiddenField) checks that the same value >> that it started with, is submitted. I'll try to replace that using a >> form validator that reads the parameter directly. >> >> Thanks >> Jörn >> >> On Tue, May 26, 2009 at 1:32 PM, Maarten Bosteels >> <mbosteels....@gmail.com> wrote: >>> When you write it out with oncomponenttagbody it's not part of the >>> component hierarchy, it's just rendered markup. >>> Once the form is submitted, you can retrieve the value using the servlet >>> API. >>> What behavior would you want to add on top ? >>> >>> Maarten >>> >>> >>> On Tue, May 26, 2009 at 12:17 PM, Jörn Zaefferer < >>> joern.zaeffe...@googlemail.com> wrote: >>> >>>> How is that going the fix the problem? I'd end up with markup, but no >>>> behaviour on top of it. >>>> >>>> Jörn >>>> >>>> On Mon, May 25, 2009 at 5:52 PM, Igor Vaynberg <igor.vaynb...@gmail.com> >>>> wrote: >>>> > right, so remove that code since you have replaced that component with >>>> > pure markup. >>>> > >>>> > -igor >>>> > >>>> > On Mon, May 25, 2009 at 8:48 AM, Jörn Zaefferer >>>> > <joern.zaeffe...@googlemail.com> wrote: >>>> >> That was the idea. But Wicket still can't find the component markup >>>> >> when looking for it. The form adds this elsewhere: >>>> >> >>>> >> add(new HiddenField<String>("csrf-protection", new >>>> >> Model<String>(csrfProtection())).setRequired(true).add(new >>>> >> IValidator<String>() { >>>> >> public void validate(IValidatable<String> validatable) { >>>> >> log.warn("potential csrf attack, submitted value: " + >>>> >> validatable.getValue() + ", expected: " + csrfProtection()); >>>> >> validatable.error(new ValidationError().setMessage("wrong >>>> csrf >>>> >> protection cookie")); >>>> >> } >>>> >> })); >>>> >> >>>> >> Jörn >>>> >> >>>> >> On Mon, May 25, 2009 at 5:44 PM, Igor Vaynberg <igor.vaynb...@gmail.com> >>>> wrote: >>>> >>> if you write it out in oncomponenttagbody then you dont need it in the >>>> >>> markupo anymore. >>>> >>> >>>> >>> -igor >>>> >>> >>>> >>> On Mon, May 25, 2009 at 6:32 AM, Jörn Zaefferer >>>> >>> <joern.zaeffe...@googlemail.com> wrote: >>>> >>>> Hi, >>>> >>>> >>>> >>>> my application uses a form subclass everywhere for CSRF protection. >>>> >>>> Each form needs a hidden field like this: <input type="hidden" >>>> >>>> wicket:id="csrf-protection" /> >>>> >>>> The wicket component for that is added by the form subclass >>>> >>>> (SecureForm) which all other forms in the application extend. >>>> >>>> >>>> >>>> Currently each form has to include that markup somewhere, producing a >>>> >>>> lot of duplication. >>>> >>>> >>>> >>>> I'm looking for a way to get rid of that duplication. An approach I'm >>>> >>>> currently investigating is to generate the markup, similar to how Form >>>> >>>> genrates a hidden input it its onComponentTagBody: >>>> >>>> >>>> >>>> @Override >>>> >>>> protected void onComponentTagBody(MarkupStream markupStream, >>>> >>>> ComponentTag openTag) { >>>> >>>> String nameAndId = get("csrf-protection").getId(); >>>> >>>> AppendingStringBuffer buffer = new AppendingStringBuffer( >>>> >>>> "<input type=\"hidden\" name=\"").append(nameAndId).append("\" >>>> />"); >>>> >>>> getResponse().write(buffer); >>>> >>>> super.onComponentTagBody(markupStream, openTag); >>>> >>>> } >>>> >>>> >>>> >>>> That doesn't work, Wicket throws an exception of a missing reference >>>> >>>> in markup anyway. Likely because this just writes to the response, not >>>> >>>> extending the markup. >>>> >>>> I also don't see any way to achieve this via MarkupStream or >>>> ComponentTag. >>>> >>>> >>>> >>>> Any ideas? >>>> >>>> >>>> >>>> Regards >>>> >>>> Jörn Zaefferer >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>>> >>>> For additional commands, e-mail: users-h...@wicket.apache.org >>>> >>>> >>>> >>>> >>>> >>> >>>> >>> --------------------------------------------------------------------- >>>> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>>> >>> For additional commands, e-mail: users-h...@wicket.apache.org >>>> >>> >>>> >>> >>>> >> >>>> >> --------------------------------------------------------------------- >>>> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>>> >> For additional commands, e-mail: users-h...@wicket.apache.org >>>> >> >>>> >> >>>> > >>>> > --------------------------------------------------------------------- >>>> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>>> > For additional commands, e-mail: users-h...@wicket.apache.org >>>> > >>>> > >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >>>> For additional commands, e-mail: users-h...@wicket.apache.org >>>> >>>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org