You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Mark Sandori <ms...@gmail.com> on 2007/05/07 20:31:55 UTC
Securing form submission with action token
I am looking at making a version of the Form component that supports the
"action token" pattern for securing forms against cross-site request forgery
(XSRF) and cross-site script includes (XSSI). The basic idea is to have the
form generate a unique id that must be submitted along with the form. This
verifies that the form was not forged and generated outside of the
application.
I would love your input as to whether this will work (I am not an expert on
all the versioning and pagemap stuff yet, but I think the form should always
be submitted to the same instance regardless of back button, etc.) and
whether this should be part of the base form component.
Below is the version of the form that I have created. The verification of
the token happens in an overriden validate() method. I would have preferred
to override onFormSubmitted, but it is marked as final (at least in
1.2.5which is what I am using). In
2.0 there appears to be "fake submit" handling, but it is not clear how this
should work. If this is already being handled, let me know...
Thanks for your time.
public class SecureForm extends Form
{
private final transient Logger logger = LoggerFactory.getLogger(
SecureForm.class);
private String actionToken;
public SecureForm(final String id) {
this(id, null);
}
public SecureForm(final String id, IModel model)
{
super(id, model);
//generate a unique action token stored with this form
actionToken = UUID.randomUUID().toString();
}
@Override
protected void onComponentTagBody(final MarkupStream markupStream, final
ComponentTag openTag)
{
// render the hidden field
AppendingStringBuffer buffer = new AppendingStringBuffer("<div
style=\"display:none\"><input type=\"hidden\" name=\"");
buffer.append(getActionTokenHiddenFieldId())
.append("\" id=\"")
.append(getActionTokenHiddenFieldId())
.append("\" value=\"")
.append(actionToken)
.append("\" /></div>");
getResponse().write(buffer);
// do the rest of the processing
super.onComponentTagBody(markupStream, openTag);
}
@Override
protected void validate() {
//verify that the token was provided
String token =
getRequest().getParameter(getActionTokenHiddenFieldId());
if (!actionToken.equals(token)) {
logger.warn("Attempted unauthorized form submission.");
throw new UnauthorizedActionException(this, new Action("
SECUREFORM.SUBMIT"));
}
super.validate();
}
private String getActionTokenHiddenFieldId() {
return "_actiontoken";
}
}
Re: Securing form submission with action token
Posted by Igor Vaynberg <ig...@gmail.com>.
is this kind of attack feasible? wicket urls are session-relative, so the
url of the form is not stable.
-igor
On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
>
> I am looking at making a version of the Form component that supports the
> "action token" pattern for securing forms against cross-site request
> forgery
> (XSRF) and cross-site script includes (XSSI). The basic idea is to have
> the
> form generate a unique id that must be submitted along with the form. This
> verifies that the form was not forged and generated outside of the
> application.
>
> I would love your input as to whether this will work (I am not an expert
> on
> all the versioning and pagemap stuff yet, but I think the form should
> always
> be submitted to the same instance regardless of back button, etc.) and
> whether this should be part of the base form component.
>
> Below is the version of the form that I have created. The verification of
> the token happens in an overriden validate() method. I would have
> preferred
> to override onFormSubmitted, but it is marked as final (at least in
> 1.2.5which is what I am using). In
> 2.0 there appears to be "fake submit" handling, but it is not clear how
> this
> should work. If this is already being handled, let me know...
>
> Thanks for your time.
>
>
> public class SecureForm extends Form
> {
>
> private final transient Logger logger = LoggerFactory.getLogger(
> SecureForm.class);
>
> private String actionToken;
>
> public SecureForm(final String id) {
> this(id, null);
> }
>
> public SecureForm(final String id, IModel model)
> {
> super(id, model);
>
> //generate a unique action token stored with this form
> actionToken = UUID.randomUUID().toString();
> }
>
> @Override
> protected void onComponentTagBody(final MarkupStream markupStream,
> final
> ComponentTag openTag)
> {
> // render the hidden field
> AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> style=\"display:none\"><input type=\"hidden\" name=\"");
> buffer.append(getActionTokenHiddenFieldId())
> .append("\" id=\"")
> .append(getActionTokenHiddenFieldId())
> .append("\" value=\"")
> .append(actionToken)
> .append("\" /></div>");
> getResponse().write(buffer);
>
> // do the rest of the processing
> super.onComponentTagBody(markupStream, openTag);
> }
>
> @Override
> protected void validate() {
> //verify that the token was provided
> String token =
> getRequest().getParameter(getActionTokenHiddenFieldId());
>
> if (!actionToken.equals(token)) {
> logger.warn("Attempted unauthorized form submission.");
> throw new UnauthorizedActionException(this, new Action("
> SECUREFORM.SUBMIT"));
> }
>
> super.validate();
> }
>
> private String getActionTokenHiddenFieldId() {
> return "_actiontoken";
> }
> }
>
Re: Securing form submission with action token
Posted by Eelco Hillenius <ee...@gmail.com>.
And if it is really a great concern, people can implement their own
strategy that e.g. works on UUIDs or such. That'd be impossible to
guess.
Eelco
On 5/8/07, Johan Compagner <jc...@gmail.com> wrote:
> WebUrlCompressing is random but only it is "stable" if you walk to that page
> with that form
> exactly the same way in all your new sessions.
>
> But because it is session relative that user first have to go to that page
> (because it has to exists)
> then to another site that then guess the exact same thing with the
> compressing url?
> That sounds very unlikely if possible.
>
> johan
>
>
> On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
> >
> > I am using WebURLCompressingCodingStrategy so the URLs are more compact,
> > but
> > it still seems like someone could potentially fake a request because there
> > is only part of the URL that is session specific and not entirely random.
> >
> > I will take a look at the CryptedUrlWebRequestCodingStrategy to see if
> > that
> > takes care of it.
> >
> > Thanks guys!!
> >
> > >
> >
> > On 5/7/07, Eelco Hillenius <ee...@gmail.com> wrote:
> > >
> > > I might be overlooking something, but I doubt whether you need it, as
> > > submissions to pages already are safe. It's very unlikely other's can
> > > guess session relative URLs (like <form
> > >
> > >
> > action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
> > > But if you want more security you can implement your own request
> > > coding strategy, or e.g. use something like
> > > CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
> > > me than implementing special purpose functionality in forms.
> > >
> > > Eelco
> > >
> > >
> > > On 5/7/07, Bruno Borges <br...@gmail.com> wrote:
> > > > Isn't this already implemented in Wicket's Core?
> > > >
> > > > --
> > > > Bruno Borges
> > > > Summa Technologies Inc.
> > > > www.summa-tech.com
> > > > (48) 8404-1300
> > > > (11) 3055-2060
> > > >
> > > > On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
> > > > >
> > > > > I am looking at making a version of the Form component that supports
> > > the
> > > > > "action token" pattern for securing forms against cross-site request
> > > > > forgery
> > > > > (XSRF) and cross-site script includes (XSSI). The basic idea is to
> > > have
> > > > > the
> > > > > form generate a unique id that must be submitted along with the
> > form.
> > > This
> > > > > verifies that the form was not forged and generated outside of the
> > > > > application.
> > > > >
> > > > > I would love your input as to whether this will work (I am not an
> > > expert
> > > > > on
> > > > > all the versioning and pagemap stuff yet, but I think the form
> > should
> > > > > always
> > > > > be submitted to the same instance regardless of back button, etc.)
> > and
> > > > > whether this should be part of the base form component.
> > > > >
> > > > > Below is the version of the form that I have created. The
> > verification
> > > of
> > > > > the token happens in an overriden validate() method. I would have
> > > > > preferred
> > > > > to override onFormSubmitted, but it is marked as final (at least in
> > > > > 1.2.5which is what I am using). In
> > > > > 2.0 there appears to be "fake submit" handling, but it is not clear
> > > how
> > > > > this
> > > > > should work. If this is already being handled, let me know...
> > > > >
> > > > > Thanks for your time.
> > > > >
> > > > >
> > > > > public class SecureForm extends Form
> > > > > {
> > > > >
> > > > > private final transient Logger logger = LoggerFactory.getLogger(
> > > > > SecureForm.class);
> > > > >
> > > > > private String actionToken;
> > > > >
> > > > > public SecureForm(final String id) {
> > > > > this(id, null);
> > > > > }
> > > > >
> > > > > public SecureForm(final String id, IModel model)
> > > > > {
> > > > > super(id, model);
> > > > >
> > > > > //generate a unique action token stored with this form
> > > > > actionToken = UUID.randomUUID().toString();
> > > > > }
> > > > >
> > > > > @Override
> > > > > protected void onComponentTagBody(final MarkupStream
> > markupStream,
> > > > > final
> > > > > ComponentTag openTag)
> > > > > {
> > > > > // render the hidden field
> > > > > AppendingStringBuffer buffer = new
> > AppendingStringBuffer("<div
> > > > > style=\"display:none\"><input type=\"hidden\" name=\"");
> > > > > buffer.append(getActionTokenHiddenFieldId())
> > > > > .append("\" id=\"")
> > > > > .append(getActionTokenHiddenFieldId())
> > > > > .append("\" value=\"")
> > > > > .append(actionToken)
> > > > > .append("\" /></div>");
> > > > > getResponse().write(buffer);
> > > > >
> > > > > // do the rest of the processing
> > > > > super.onComponentTagBody(markupStream, openTag);
> > > > > }
> > > > >
> > > > > @Override
> > > > > protected void validate() {
> > > > > //verify that the token was provided
> > > > > String token =
> > > > > getRequest().getParameter(getActionTokenHiddenFieldId());
> > > > >
> > > > > if (!actionToken.equals(token)) {
> > > > > logger.warn("Attempted unauthorized form submission.");
> > > > > throw new UnauthorizedActionException(this, new Action("
> > > > > SECUREFORM.SUBMIT"));
> > > > > }
> > > > >
> > > > > super.validate();
> > > > > }
> > > > >
> > > > > private String getActionTokenHiddenFieldId() {
> > > > > return "_actiontoken";
> > > > > }
> > > > > }
> > > > >
> > > >
> > >
> >
>
Re: Securing form submission with action token
Posted by Johan Compagner <jc...@gmail.com>.
WebUrlCompressing is random but only it is "stable" if you walk to that page
with that form
exactly the same way in all your new sessions.
But because it is session relative that user first have to go to that page
(because it has to exists)
then to another site that then guess the exact same thing with the
compressing url?
That sounds very unlikely if possible.
johan
On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
>
> I am using WebURLCompressingCodingStrategy so the URLs are more compact,
> but
> it still seems like someone could potentially fake a request because there
> is only part of the URL that is session specific and not entirely random.
>
> I will take a look at the CryptedUrlWebRequestCodingStrategy to see if
> that
> takes care of it.
>
> Thanks guys!!
>
> >
>
> On 5/7/07, Eelco Hillenius <ee...@gmail.com> wrote:
> >
> > I might be overlooking something, but I doubt whether you need it, as
> > submissions to pages already are safe. It's very unlikely other's can
> > guess session relative URLs (like <form
> >
> >
> action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
> > But if you want more security you can implement your own request
> > coding strategy, or e.g. use something like
> > CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
> > me than implementing special purpose functionality in forms.
> >
> > Eelco
> >
> >
> > On 5/7/07, Bruno Borges <br...@gmail.com> wrote:
> > > Isn't this already implemented in Wicket's Core?
> > >
> > > --
> > > Bruno Borges
> > > Summa Technologies Inc.
> > > www.summa-tech.com
> > > (48) 8404-1300
> > > (11) 3055-2060
> > >
> > > On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
> > > >
> > > > I am looking at making a version of the Form component that supports
> > the
> > > > "action token" pattern for securing forms against cross-site request
> > > > forgery
> > > > (XSRF) and cross-site script includes (XSSI). The basic idea is to
> > have
> > > > the
> > > > form generate a unique id that must be submitted along with the
> form.
> > This
> > > > verifies that the form was not forged and generated outside of the
> > > > application.
> > > >
> > > > I would love your input as to whether this will work (I am not an
> > expert
> > > > on
> > > > all the versioning and pagemap stuff yet, but I think the form
> should
> > > > always
> > > > be submitted to the same instance regardless of back button, etc.)
> and
> > > > whether this should be part of the base form component.
> > > >
> > > > Below is the version of the form that I have created. The
> verification
> > of
> > > > the token happens in an overriden validate() method. I would have
> > > > preferred
> > > > to override onFormSubmitted, but it is marked as final (at least in
> > > > 1.2.5which is what I am using). In
> > > > 2.0 there appears to be "fake submit" handling, but it is not clear
> > how
> > > > this
> > > > should work. If this is already being handled, let me know...
> > > >
> > > > Thanks for your time.
> > > >
> > > >
> > > > public class SecureForm extends Form
> > > > {
> > > >
> > > > private final transient Logger logger = LoggerFactory.getLogger(
> > > > SecureForm.class);
> > > >
> > > > private String actionToken;
> > > >
> > > > public SecureForm(final String id) {
> > > > this(id, null);
> > > > }
> > > >
> > > > public SecureForm(final String id, IModel model)
> > > > {
> > > > super(id, model);
> > > >
> > > > //generate a unique action token stored with this form
> > > > actionToken = UUID.randomUUID().toString();
> > > > }
> > > >
> > > > @Override
> > > > protected void onComponentTagBody(final MarkupStream
> markupStream,
> > > > final
> > > > ComponentTag openTag)
> > > > {
> > > > // render the hidden field
> > > > AppendingStringBuffer buffer = new
> AppendingStringBuffer("<div
> > > > style=\"display:none\"><input type=\"hidden\" name=\"");
> > > > buffer.append(getActionTokenHiddenFieldId())
> > > > .append("\" id=\"")
> > > > .append(getActionTokenHiddenFieldId())
> > > > .append("\" value=\"")
> > > > .append(actionToken)
> > > > .append("\" /></div>");
> > > > getResponse().write(buffer);
> > > >
> > > > // do the rest of the processing
> > > > super.onComponentTagBody(markupStream, openTag);
> > > > }
> > > >
> > > > @Override
> > > > protected void validate() {
> > > > //verify that the token was provided
> > > > String token =
> > > > getRequest().getParameter(getActionTokenHiddenFieldId());
> > > >
> > > > if (!actionToken.equals(token)) {
> > > > logger.warn("Attempted unauthorized form submission.");
> > > > throw new UnauthorizedActionException(this, new Action("
> > > > SECUREFORM.SUBMIT"));
> > > > }
> > > >
> > > > super.validate();
> > > > }
> > > >
> > > > private String getActionTokenHiddenFieldId() {
> > > > return "_actiontoken";
> > > > }
> > > > }
> > > >
> > >
> >
>
Re: Securing form submission with action token
Posted by Mark Sandori <ms...@gmail.com>.
I am using WebURLCompressingCodingStrategy so the URLs are more compact, but
it still seems like someone could potentially fake a request because there
is only part of the URL that is session specific and not entirely random.
I will take a look at the CryptedUrlWebRequestCodingStrategy to see if that
takes care of it.
Thanks guys!!
>
On 5/7/07, Eelco Hillenius <ee...@gmail.com> wrote:
>
> I might be overlooking something, but I doubt whether you need it, as
> submissions to pages already are safe. It's very unlikely other's can
> guess session relative URLs (like <form
>
> action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
> But if you want more security you can implement your own request
> coding strategy, or e.g. use something like
> CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
> me than implementing special purpose functionality in forms.
>
> Eelco
>
>
> On 5/7/07, Bruno Borges <br...@gmail.com> wrote:
> > Isn't this already implemented in Wicket's Core?
> >
> > --
> > Bruno Borges
> > Summa Technologies Inc.
> > www.summa-tech.com
> > (48) 8404-1300
> > (11) 3055-2060
> >
> > On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
> > >
> > > I am looking at making a version of the Form component that supports
> the
> > > "action token" pattern for securing forms against cross-site request
> > > forgery
> > > (XSRF) and cross-site script includes (XSSI). The basic idea is to
> have
> > > the
> > > form generate a unique id that must be submitted along with the form.
> This
> > > verifies that the form was not forged and generated outside of the
> > > application.
> > >
> > > I would love your input as to whether this will work (I am not an
> expert
> > > on
> > > all the versioning and pagemap stuff yet, but I think the form should
> > > always
> > > be submitted to the same instance regardless of back button, etc.) and
> > > whether this should be part of the base form component.
> > >
> > > Below is the version of the form that I have created. The verification
> of
> > > the token happens in an overriden validate() method. I would have
> > > preferred
> > > to override onFormSubmitted, but it is marked as final (at least in
> > > 1.2.5which is what I am using). In
> > > 2.0 there appears to be "fake submit" handling, but it is not clear
> how
> > > this
> > > should work. If this is already being handled, let me know...
> > >
> > > Thanks for your time.
> > >
> > >
> > > public class SecureForm extends Form
> > > {
> > >
> > > private final transient Logger logger = LoggerFactory.getLogger(
> > > SecureForm.class);
> > >
> > > private String actionToken;
> > >
> > > public SecureForm(final String id) {
> > > this(id, null);
> > > }
> > >
> > > public SecureForm(final String id, IModel model)
> > > {
> > > super(id, model);
> > >
> > > //generate a unique action token stored with this form
> > > actionToken = UUID.randomUUID().toString();
> > > }
> > >
> > > @Override
> > > protected void onComponentTagBody(final MarkupStream markupStream,
> > > final
> > > ComponentTag openTag)
> > > {
> > > // render the hidden field
> > > AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> > > style=\"display:none\"><input type=\"hidden\" name=\"");
> > > buffer.append(getActionTokenHiddenFieldId())
> > > .append("\" id=\"")
> > > .append(getActionTokenHiddenFieldId())
> > > .append("\" value=\"")
> > > .append(actionToken)
> > > .append("\" /></div>");
> > > getResponse().write(buffer);
> > >
> > > // do the rest of the processing
> > > super.onComponentTagBody(markupStream, openTag);
> > > }
> > >
> > > @Override
> > > protected void validate() {
> > > //verify that the token was provided
> > > String token =
> > > getRequest().getParameter(getActionTokenHiddenFieldId());
> > >
> > > if (!actionToken.equals(token)) {
> > > logger.warn("Attempted unauthorized form submission.");
> > > throw new UnauthorizedActionException(this, new Action("
> > > SECUREFORM.SUBMIT"));
> > > }
> > >
> > > super.validate();
> > > }
> > >
> > > private String getActionTokenHiddenFieldId() {
> > > return "_actiontoken";
> > > }
> > > }
> > >
> >
>
Re: Securing form submission with action token
Posted by Eelco Hillenius <ee...@gmail.com>.
I might be overlooking something, but I doubt whether you need it, as
submissions to pages already are safe. It's very unlikely other's can
guess session relative URLs (like <form
action="wf_component?wicket:interface=wf_component:3:content:tabs:tabs:panel:filter-form:1:IFormSubmitListener:").
But if you want more security you can implement your own request
coding strategy, or e.g. use something like
CryptedUrlWebRequestCodingStrategy. That sounds like a better idea to
me than implementing special purpose functionality in forms.
Eelco
On 5/7/07, Bruno Borges <br...@gmail.com> wrote:
> Isn't this already implemented in Wicket's Core?
>
> --
> Bruno Borges
> Summa Technologies Inc.
> www.summa-tech.com
> (48) 8404-1300
> (11) 3055-2060
>
> On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
> >
> > I am looking at making a version of the Form component that supports the
> > "action token" pattern for securing forms against cross-site request
> > forgery
> > (XSRF) and cross-site script includes (XSSI). The basic idea is to have
> > the
> > form generate a unique id that must be submitted along with the form. This
> > verifies that the form was not forged and generated outside of the
> > application.
> >
> > I would love your input as to whether this will work (I am not an expert
> > on
> > all the versioning and pagemap stuff yet, but I think the form should
> > always
> > be submitted to the same instance regardless of back button, etc.) and
> > whether this should be part of the base form component.
> >
> > Below is the version of the form that I have created. The verification of
> > the token happens in an overriden validate() method. I would have
> > preferred
> > to override onFormSubmitted, but it is marked as final (at least in
> > 1.2.5which is what I am using). In
> > 2.0 there appears to be "fake submit" handling, but it is not clear how
> > this
> > should work. If this is already being handled, let me know...
> >
> > Thanks for your time.
> >
> >
> > public class SecureForm extends Form
> > {
> >
> > private final transient Logger logger = LoggerFactory.getLogger(
> > SecureForm.class);
> >
> > private String actionToken;
> >
> > public SecureForm(final String id) {
> > this(id, null);
> > }
> >
> > public SecureForm(final String id, IModel model)
> > {
> > super(id, model);
> >
> > //generate a unique action token stored with this form
> > actionToken = UUID.randomUUID().toString();
> > }
> >
> > @Override
> > protected void onComponentTagBody(final MarkupStream markupStream,
> > final
> > ComponentTag openTag)
> > {
> > // render the hidden field
> > AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> > style=\"display:none\"><input type=\"hidden\" name=\"");
> > buffer.append(getActionTokenHiddenFieldId())
> > .append("\" id=\"")
> > .append(getActionTokenHiddenFieldId())
> > .append("\" value=\"")
> > .append(actionToken)
> > .append("\" /></div>");
> > getResponse().write(buffer);
> >
> > // do the rest of the processing
> > super.onComponentTagBody(markupStream, openTag);
> > }
> >
> > @Override
> > protected void validate() {
> > //verify that the token was provided
> > String token =
> > getRequest().getParameter(getActionTokenHiddenFieldId());
> >
> > if (!actionToken.equals(token)) {
> > logger.warn("Attempted unauthorized form submission.");
> > throw new UnauthorizedActionException(this, new Action("
> > SECUREFORM.SUBMIT"));
> > }
> >
> > super.validate();
> > }
> >
> > private String getActionTokenHiddenFieldId() {
> > return "_actiontoken";
> > }
> > }
> >
>
Re: Securing form submission with action token
Posted by Bruno Borges <br...@gmail.com>.
Isn't this already implemented in Wicket's Core?
--
Bruno Borges
Summa Technologies Inc.
www.summa-tech.com
(48) 8404-1300
(11) 3055-2060
On 5/7/07, Mark Sandori <ms...@gmail.com> wrote:
>
> I am looking at making a version of the Form component that supports the
> "action token" pattern for securing forms against cross-site request
> forgery
> (XSRF) and cross-site script includes (XSSI). The basic idea is to have
> the
> form generate a unique id that must be submitted along with the form. This
> verifies that the form was not forged and generated outside of the
> application.
>
> I would love your input as to whether this will work (I am not an expert
> on
> all the versioning and pagemap stuff yet, but I think the form should
> always
> be submitted to the same instance regardless of back button, etc.) and
> whether this should be part of the base form component.
>
> Below is the version of the form that I have created. The verification of
> the token happens in an overriden validate() method. I would have
> preferred
> to override onFormSubmitted, but it is marked as final (at least in
> 1.2.5which is what I am using). In
> 2.0 there appears to be "fake submit" handling, but it is not clear how
> this
> should work. If this is already being handled, let me know...
>
> Thanks for your time.
>
>
> public class SecureForm extends Form
> {
>
> private final transient Logger logger = LoggerFactory.getLogger(
> SecureForm.class);
>
> private String actionToken;
>
> public SecureForm(final String id) {
> this(id, null);
> }
>
> public SecureForm(final String id, IModel model)
> {
> super(id, model);
>
> //generate a unique action token stored with this form
> actionToken = UUID.randomUUID().toString();
> }
>
> @Override
> protected void onComponentTagBody(final MarkupStream markupStream,
> final
> ComponentTag openTag)
> {
> // render the hidden field
> AppendingStringBuffer buffer = new AppendingStringBuffer("<div
> style=\"display:none\"><input type=\"hidden\" name=\"");
> buffer.append(getActionTokenHiddenFieldId())
> .append("\" id=\"")
> .append(getActionTokenHiddenFieldId())
> .append("\" value=\"")
> .append(actionToken)
> .append("\" /></div>");
> getResponse().write(buffer);
>
> // do the rest of the processing
> super.onComponentTagBody(markupStream, openTag);
> }
>
> @Override
> protected void validate() {
> //verify that the token was provided
> String token =
> getRequest().getParameter(getActionTokenHiddenFieldId());
>
> if (!actionToken.equals(token)) {
> logger.warn("Attempted unauthorized form submission.");
> throw new UnauthorizedActionException(this, new Action("
> SECUREFORM.SUBMIT"));
> }
>
> super.validate();
> }
>
> private String getActionTokenHiddenFieldId() {
> return "_actiontoken";
> }
> }
>