Linking Tapestry to Online Payment Provider

[Gareth <g0...@yahoo.co.uk>]

Hi,

Apologies for this being seen as slightly off topic.

I'm trying to link my tapestry Application to the online payment provider NoChex.

They provide an interface page which I must forward to in order to pass responsibility for the currency transfer to them, this is either:

<GET>
url="https://www.nochex.com/nochex.dll/checkout?email=mysales@myco.com&amount=4.45"

or
<POST>



        <input type="text" name="email">

        <input type="text" name="amount">

</form>

My opinion was that to redirect / forward using a link from my webpage to theirs would be open to abuse since users could manually tweak the price my manipulating javascript.  Is this understanding correct?

To prevent it, the only solution I could think of was to keep pricing and product details in the session, then redirect from a server side listener.

This works in the GET format, but I can't see how to convert it to a post.  Also, if it were a post, I can't see how to set the response attributes (as if the form were submitted).  Is there an easy way of doing this from tapestry?

The reason I wish to send a POST redirect as opposed to a GET is that I believe the user could manipulate the URL parameters if it is in that format.

I'd be really grateful if someone could clarify this whole issue for me please, as I'm new to this whole concept of online security (having never taken payments online before), and I can't seem to find any data sources to confirm / disprove my current understanding.

I've used raw J2EE before, but never to manually craft a POST response.

Many thanks

Gareth






Send instant messages to your online friends http://uk.messenger.yahoo.com 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Linking Tapestry to Online Payment Provider

[spamsucks <sp...@rhoderunner.com>]

May I ask a little more about what your application does?  Is it just a 
shopping cart?

I have written tapestry applications that integrate to payment providers 
(payproflow, skipjack and cybersource), and currently on adding this feature 
to a security framework that I have written that will allow users to make 
purchases via credit card.  http://www.authsum.org  (uses tapestry of 
course!)

I was wondering if perhaps there is a match here.

phillip



----- Original Message ----- 
From: "Gareth" <g0...@yahoo.co.uk>
To: "Tapestry users" <us...@tapestry.apache.org>
Sent: Monday, November 27, 2006 11:35 AM
Subject: Linking Tapestry to Online Payment Provider


Hi,

Apologies for this being seen as slightly off topic.

I'm trying to link my tapestry Application to the online payment provider 
NoChex.

They provide an interface page which I must forward to in order to pass 
responsibility for the currency transfer to them, this is either:

<GET>
url="https://www.nochex.com/nochex.dll/checkout?email=mysales@myco.com&amount=4.45"

or
<POST>



        <input type="text" name="email">

        <input type="text" name="amount">

</form>

My opinion was that to redirect / forward using a link from my webpage to 
theirs would be open to abuse since users could manually tweak the price my 
manipulating javascript.  Is this understanding correct?

To prevent it, the only solution I could think of was to keep pricing and 
product details in the session, then redirect from a server side listener.

This works in the GET format, but I can't see how to convert it to a post. 
Also, if it were a post, I can't see how to set the response attributes (as 
if the form were submitted).  Is there an easy way of doing this from 
tapestry?

The reason I wish to send a POST redirect as opposed to a GET is that I 
believe the user could manipulate the URL parameters if it is in that 
format.

I'd be really grateful if someone could clarify this whole issue for me 
please, as I'm new to this whole concept of online security (having never 
taken payments online before), and I can't seem to find any data sources to 
confirm / disprove my current understanding.

I've used raw J2EE before, but never to manually craft a POST response.

Many thanks

Gareth






Send instant messages to your online friends http://uk.messenger.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org