Generic Protected mixin for mulitple components

[Markus Jung <ma...@gmail.com>]

Hi,

currently I have a generic mixin called Protected that I can use for all
components to inject the CSRF token. 

So the usage looks like:
<t:actionlink t:id="logout" t:mixins="Protected">Logout</t:actionlink>
or
<form t:type="form" t:id="statusForm" t:mixins="Protected">

In the mixin I have a if/elseif structure where I use the instanceof
operator to determine the exact component:

@InjectContainer
private ClientElement container;
...
if(container instanceof Form){ 
...
else if(container instanceof AbstractLink){
...

Q1: Is there a better way to do that? The usage of instanceof may have
negative impact on performance. I can use a separate Mixin for each
Component but I wouldn't see that as a nice solution.

If it is a Form component I just add an element:

Element formElement = writer.getElement();
formElement.element("input", "type", "hidden", "name", "formtoken", "value",
token);

for an AbstractLink I extract the href attribute and add the formtoken
parameter.

Q2: What name should be used for the CSRF protection parameter and where
should I put that constant? Is there some strategy to avoid naming
conflicts?

Q3: In Tapestry 4 the Form component provided a method addHiddenValue
(http://tapestry.apache.org/tapestry4/tapestry/apidocs/org/apache/tapestry/form/Form.html#addHiddenValue%28java.lang.String,%20java.lang.String%29).
In Tapestry 5 this method has gone. Is there still some programmatic way to
put a hidden field in a form component? My idea was to add this field before
the form is rendered, what would be the best way to avoid modification of
the rendered markup. Espacially for the AbstractLink component it would be
nice to have a addParameter method.

Thanks for your help!
Markus 








--
View this message in context: http://tapestry.1045711.n5.nabble.com/Generic-Protected-mixin-for-mulitple-components-tp4422923p4422923.html
Sent from the Tapestry - Dev mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: Generic Protected mixin for mulitple components

[Markus Jung <ma...@gmail.com>]

I would appreciate the way like Lenny described it.

The advantage is that it opens the possibility of a generic solution.

Let's say that I have the mixin Protected and in the afterRender Phase it
calls the insertCSRFToken() method of the container.

I can use class transformation to modify all class components that are
placed in the components package (or sub-packages) of the tapestry project
and check if the insertCSRFToken() is provided. If it is not provided I can
inject a component specific insertCSRFToken() method for the core components
or a generic method for user created components that uses XPath to get all
<form> and   elements of the container and inserts the token (if it is not
already there).

Advantage:
-) Protected mixin works out of the box for every tapestry and user created
component
-) CSRF protection logic is injected

If the generic insertCSRFToken() does not work for a user specific component
the following options exist:
-) provide the insertCSRFToken() method for the user component
-) disable CSRF protection by configuration
-) disable auto insertCSRFToken injection by configuration

Issues with that approach:
-) I have to transform all component classes to implement an interface named
for example TokenContainer that defines the insertCSRFToken() method. In the
mixin I check the container element to be a TokenContainer and then call the
insertCSRFToken(). Otherwise I would need to use reflection to manually call
isnertCSRFToken() since the method is not available at compile time.

Thanks for the input, this is a great help.

--
View this message in context: http://tapestry.1045711.n5.nabble.com/Generic-Protected-mixin-for-mulitple-components-tp4422923p4425831.html
Sent from the Tapestry - Dev mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: Generic Protected mixin for mulitple components

["Thiago H. de Paula Figueiredo" <th...@gmail.com>]

On Tue, 24 May 2011 19:19:39 -0300, Lenny Primak <lp...@hope.nyc.ny.us>  
wrote:

> For Q1 I would use class transformation technique to add a method to  
> each component that Inserts the CSRF token. i.e. InsertCSRFToken() and  
> call that from the mixin. That way there are no if statements and it's  
> easier just to implement this globally.

I would have a different mixin for each different component type, each one  
having an afterRender() method, and have a class transformation applying  
these mixins to components accordingly.

-- 
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,  
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: Generic Protected mixin for mulitple components

[Lenny Primak <lp...@hope.nyc.ny.us>]

For Q1 I would use class transformation technique to add a method to each component that
Inserts the CSRF token. i.e. InsertCSRFToken() and call that from the mixin. 
That way there are no if statements and it's easier just to implement this globally. 


On May 24, 2011, at 2:04 PM, Markus Jung <ma...@gmail.com> wrote:

> Hi,
> 
> currently I have a generic mixin called Protected that I can use for all
> components to inject the CSRF token. 
> 
> So the usage looks like:
> <t:actionlink t:id="logout" t:mixins="Protected">Logout</t:actionlink>
> or
> <form t:type="form" t:id="statusForm" t:mixins="Protected">
> 
> In the mixin I have a if/elseif structure where I use the instanceof
> operator to determine the exact component:
> 
> @InjectContainer
> private ClientElement container;
> ...
> if(container instanceof Form){ 
> ...
> else if(container instanceof AbstractLink){
> ...
> 
> Q1: Is there a better way to do that? The usage of instanceof may have
> negative impact on performance. I can use a separate Mixin for each
> Component but I wouldn't see that as a nice solution.
> 
> If it is a Form component I just add an element:
> 
> Element formElement = writer.getElement();
> formElement.element("input", "type", "hidden", "name", "formtoken", "value",
> token);
> 
> for an AbstractLink I extract the href attribute and add the formtoken
> parameter.
> 
> Q2: What name should be used for the CSRF protection parameter and where
> should I put that constant? Is there some strategy to avoid naming
> conflicts?
> 
> Q3: In Tapestry 4 the Form component provided a method addHiddenValue
> (http://tapestry.apache.org/tapestry4/tapestry/apidocs/org/apache/tapestry/form/Form.html#addHiddenValue%28java.lang.String,%20java.lang.String%29).
> In Tapestry 5 this method has gone. Is there still some programmatic way to
> put a hidden field in a form component? My idea was to add this field before
> the form is rendered, what would be the best way to avoid modification of
> the rendered markup. Espacially for the AbstractLink component it would be
> nice to have a addParameter method.
> 
> Thanks for your help!
> Markus 
> 
> 
> 
> 
> 
> 
> 
> 
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/Generic-Protected-mixin-for-mulitple-components-tp4422923p4422923.html
> Sent from the Tapestry - Dev mailing list archive at Nabble.com.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org