Looking at our implementation, we are using an AjaxFormComponentUpdatingBehavior to trigger our data save.
Even though we do a have parent form the onSubmit is never called. Is there an alternative to the onMethodMismatch ? ————————— Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 > On Oct 16, 2020, at 4:32 PM, Martin Grigorov <mgrigo...@apache.org> wrote: > > On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com> wrote: > >> I apologize in advance for my vague question. Our Wicket 8 based >> application was submitted to pen testing from our EISO. While I understand >> the finding, I'm not 100% sure I understand the problem nor do I know how >> to address it. >> >> In one of our complex forms that uses Ajax Calls to automatically update >> the DB when the fields lose focus, the tester made the following remark: >> >> Applications accepts GET requests for coded POST Ajax calls – parameters >> can be passed in URL >> >> It appears that through his "fuzzer", even though our requests are marked >> as POST, it still processes GET requests. Is there a way to enforce POST ? >> Is there any way to mitigate this issue globally from a configuration >> standpoint ? >> > > > See Form#onMethodMismatch() > >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org