You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Sergey Podatelev <br...@gmail.com> on 2008/06/06 19:35:35 UTC
How reliable Validators are?
Hello,
I'm wondering, how safe is it to use a custom validator to check current
password of the logged-in user, when he wants to change his password (say,
on a profile page)?
Are there are any potential security issues that can allow user to pass a
validation?
--
sp
Re: How reliable Validators are?
Posted by James Carman <ja...@carmanconsulting.com>.
You would be inside the constructor of a page (or component) when you
instantiate the validator (presumably). That page (or component)
could have a @SpringBean injected into it. Then, it can pass that
injected reference into the constructor of the validator.
On Fri, Jun 6, 2008 at 6:31 PM, Patrick Angeles <pa...@inertiabev.com> wrote:
>
> That doesn't work either... b/c the validator instance has already been
> set...
>
> @SpringBean would work, but the Validator will need to manually invoke the
> Injector in it's own constructor.
>
> Or you can use http://code.google.com/p/salve/ which is what we do.
>
>
>
> jwcarman wrote:
>>
>> I meant from some other class (a Component) that had the bean
>> injected. That class could then pass its injected dependency into the
>> validator's constructor.
>>
>> On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <ig...@gmail.com>
>> wrote:
>>> not without manually injecting the validator or making validate an
>>> inner/anon class so it can access component's fields.
>>>
>>> -igor
>>>
>>> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
>>> <ja...@carmanconsulting.com> wrote:
>>>> You can, however, pass in an object obtained via injection with the
>>>> @SpringBean annotation.
>>>>
>>>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <pa...@inertiabev.com>
>>>> wrote:
>>>>>
>>>>> Another difference, if you have to do a database roundtrip (which you
>>>>> will
>>>>> likely need to verify a password) then the code for the validator is a
>>>>> bit
>>>>> more complicated. You have to take into account the fact that this gets
>>>>> serialized/deserialized as part of the page so you can't just pass a DB
>>>>> connection or hibernate session in the constructor.
>>>>>
>>>>>
>>>>>
>>>>> Eelco Hillenius wrote:
>>>>>>
>>>>>>> But can you please explain, why wouldn't you use validator for this?
>>>>>>
>>>>>> I think that's just personal preference. Validators are reusable,
>>>>>> while putting a check in onSubmit isn't. Whether that matters depends
>>>>>> on your project and the context you do the check in.
>>>>>>
>>>>>> Eelco
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>>>>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Patrick Angeles <pa...@inertiabev.com>.
That doesn't work either... b/c the validator instance has already been
set...
@SpringBean would work, but the Validator will need to manually invoke the
Injector in it's own constructor.
Or you can use http://code.google.com/p/salve/ which is what we do.
jwcarman wrote:
>
> I meant from some other class (a Component) that had the bean
> injected. That class could then pass its injected dependency into the
> validator's constructor.
>
> On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <ig...@gmail.com>
> wrote:
>> not without manually injecting the validator or making validate an
>> inner/anon class so it can access component's fields.
>>
>> -igor
>>
>> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
>> <ja...@carmanconsulting.com> wrote:
>>> You can, however, pass in an object obtained via injection with the
>>> @SpringBean annotation.
>>>
>>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <pa...@inertiabev.com>
>>> wrote:
>>>>
>>>> Another difference, if you have to do a database roundtrip (which you
>>>> will
>>>> likely need to verify a password) then the code for the validator is a
>>>> bit
>>>> more complicated. You have to take into account the fact that this gets
>>>> serialized/deserialized as part of the page so you can't just pass a DB
>>>> connection or hibernate session in the constructor.
>>>>
>>>>
>>>>
>>>> Eelco Hillenius wrote:
>>>>>
>>>>>> But can you please explain, why wouldn't you use validator for this?
>>>>>
>>>>> I think that's just personal preference. Validators are reusable,
>>>>> while putting a check in onSubmit isn't. Whether that matters depends
>>>>> on your project and the context you do the check in.
>>>>>
>>>>> Eelco
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>>>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17702421.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by James Carman <ja...@carmanconsulting.com>.
I meant from some other class (a Component) that had the bean
injected. That class could then pass its injected dependency into the
validator's constructor.
On Fri, Jun 6, 2008 at 3:53 PM, Igor Vaynberg <ig...@gmail.com> wrote:
> not without manually injecting the validator or making validate an
> inner/anon class so it can access component's fields.
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:46 PM, James Carman
> <ja...@carmanconsulting.com> wrote:
>> You can, however, pass in an object obtained via injection with the
>> @SpringBean annotation.
>>
>> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <pa...@inertiabev.com> wrote:
>>>
>>> Another difference, if you have to do a database roundtrip (which you will
>>> likely need to verify a password) then the code for the validator is a bit
>>> more complicated. You have to take into account the fact that this gets
>>> serialized/deserialized as part of the page so you can't just pass a DB
>>> connection or hibernate session in the constructor.
>>>
>>>
>>>
>>> Eelco Hillenius wrote:
>>>>
>>>>> But can you please explain, why wouldn't you use validator for this?
>>>>
>>>> I think that's just personal preference. Validators are reusable,
>>>> while putting a check in onSubmit isn't. Whether that matters depends
>>>> on your project and the context you do the check in.
>>>>
>>>> Eelco
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Igor Vaynberg <ig...@gmail.com>.
not without manually injecting the validator or making validate an
inner/anon class so it can access component's fields.
-igor
On Fri, Jun 6, 2008 at 12:46 PM, James Carman
<ja...@carmanconsulting.com> wrote:
> You can, however, pass in an object obtained via injection with the
> @SpringBean annotation.
>
> On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <pa...@inertiabev.com> wrote:
>>
>> Another difference, if you have to do a database roundtrip (which you will
>> likely need to verify a password) then the code for the validator is a bit
>> more complicated. You have to take into account the fact that this gets
>> serialized/deserialized as part of the page so you can't just pass a DB
>> connection or hibernate session in the constructor.
>>
>>
>>
>> Eelco Hillenius wrote:
>>>
>>>> But can you please explain, why wouldn't you use validator for this?
>>>
>>> I think that's just personal preference. Validators are reusable,
>>> while putting a check in onSubmit isn't. Whether that matters depends
>>> on your project and the context you do the check in.
>>>
>>> Eelco
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>>
>> --
>> View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by James Carman <ja...@carmanconsulting.com>.
You can, however, pass in an object obtained via injection with the
@SpringBean annotation.
On Fri, Jun 6, 2008 at 3:42 PM, Patrick Angeles <pa...@inertiabev.com> wrote:
>
> Another difference, if you have to do a database roundtrip (which you will
> likely need to verify a password) then the code for the validator is a bit
> more complicated. You have to take into account the fact that this gets
> serialized/deserialized as part of the page so you can't just pass a DB
> connection or hibernate session in the constructor.
>
>
>
> Eelco Hillenius wrote:
>>
>>> But can you please explain, why wouldn't you use validator for this?
>>
>> I think that's just personal preference. Validators are reusable,
>> while putting a check in onSubmit isn't. Whether that matters depends
>> on your project and the context you do the check in.
>>
>> Eelco
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
> Sent from the Wicket - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Patrick Angeles <pa...@inertiabev.com>.
Another difference, if you have to do a database roundtrip (which you will
likely need to verify a password) then the code for the validator is a bit
more complicated. You have to take into account the fact that this gets
serialized/deserialized as part of the page so you can't just pass a DB
connection or hibernate session in the constructor.
Eelco Hillenius wrote:
>
>> But can you please explain, why wouldn't you use validator for this?
>
> I think that's just personal preference. Validators are reusable,
> while putting a check in onSubmit isn't. Whether that matters depends
> on your project and the context you do the check in.
>
> Eelco
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/How-reliable-Validators-are--tp17697642p17699825.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Eelco Hillenius <ee...@gmail.com>.
> But can you please explain, why wouldn't you use validator for this?
I think that's just personal preference. Validators are reusable,
while putting a check in onSubmit isn't. Whether that matters depends
on your project and the context you do the check in.
Eelco
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Sven Meier <sv...@meiers.net>.
As I wrote, it's just my personal taste how I would do it:
For a password check usually another component is involved (the user
name and/or a password retype), so this is no good case for IValidator.
You could use an IFormValidator, but then you can equally well just put
the check into onSubmit().
I not eager to explain my definition of 'heavy'. Next time I'll just
write a sloppy response about validators working 90% of the time ;).
Sven
Igor Vaynberg schrieb:
> what exactly is "heavy" ?
>
> a validator accessing the database? why is that heavy?
>
> it keeps a reference to the object that does the database check? why
> is that heavy? there are plenty of things to make the lookup
> lightweight such as wicket-spring and salve.
>
> what exactly is too heavy about something like a UserNameValidator
> that does everything to validate a username?
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <sv...@meiers.net> wrote:
>
>> The password check will probably require an access to your
>> database/ldap/whatever, so your validator will need a reference to some
>> singleton objects (service/dao/...).
>>
>> For my taste this is too heavy for a validator.
>>
>> Sven
>>
>> Sergey Podatelev schrieb:
>>
>>> Okay, that is something I expected.
>>> But can you please explain, why wouldn't you use validator for this?
>>> It seems to be a good way to encapsulate certain functionality and if it
>>> can't be bypassed, there're no security issues also.
>>> Still, you'd use a check in onSubmit().
>>>
>>> I'm just trying to understand if I maybe missing something here :)
>>>
>>> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <sv...@meiers.net> wrote:
>>>
>>>
>>>
>>>> Well, if your validator doesn't approve the entered password your form
>>>> will
>>>> never accept the submit.
>>>> There's no way to bypass the validation.
>>>>
>>>> I'd prefer to check a password in onSubmit() though - but YMMW.
>>>>
>>>> Sven
>>>>
>>>> Sergey Podatelev schrieb:
>>>>
>>>> Hello,
>>>>
>>>>
>>>>> I'm wondering, how safe is it to use a custom validator to check current
>>>>> password of the logged-in user, when he wants to change his password
>>>>> (say,
>>>>> on a profile page)?
>>>>> Are there are any potential security issues that can allow user to pass
>>>>> a
>>>>> validation?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Eelco Hillenius <ee...@gmail.com>.
On Fri, Jun 6, 2008 at 1:22 PM, Sergey Podatelev
<br...@gmail.com> wrote:
> Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just
> about two lines:
>
> protected void onValidate(validatable) {
> if (((MyApplication)
> Application.get()).getUserDao().verifyPassword(userId, password) == false) {
> error(validatable);
> }
> }
I think it really doesn't matter much whether you put it in a
validator or directly in onSubmit. If it is something you reuse, put
it in a validator to avoid code validation. Otherwise, do whatever is
best readable. Another consideration is that if you have multiple
validations, it can get ugly to have to put in multiple if/ then
blocks (if validation x fails the set error, else save y kind of
stuff), and validators are a bit nicer in that way because they are
like pluggable checks that block form processing if any of them fails.
Eelco
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Sergey Podatelev <br...@gmail.com>.
Well yeah, actually, I'm using Wicket-Spring, so onValidate() takes just
about two lines:
protected void onValidate(validatable) {
if (((MyApplication)
Application.get()).getUserDao().verifyPassword(userId, password) == false) {
error(validatable);
}
}
On Fri, Jun 6, 2008 at 11:52 PM, Igor Vaynberg <ig...@gmail.com>
wrote:
> what exactly is "heavy" ?
>
> a validator accessing the database? why is that heavy?
>
> it keeps a reference to the object that does the database check? why
> is that heavy? there are plenty of things to make the lookup
> lightweight such as wicket-spring and salve.
>
> what exactly is too heavy about something like a UserNameValidator
> that does everything to validate a username?
>
> -igor
>
> On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <sv...@meiers.net> wrote:
> > The password check will probably require an access to your
> > database/ldap/whatever, so your validator will need a reference to some
> > singleton objects (service/dao/...).
> >
> > For my taste this is too heavy for a validator.
> >
> > Sven
> >
> > Sergey Podatelev schrieb:
> >>
> >> Okay, that is something I expected.
> >> But can you please explain, why wouldn't you use validator for this?
> >> It seems to be a good way to encapsulate certain functionality and if it
> >> can't be bypassed, there're no security issues also.
> >> Still, you'd use a check in onSubmit().
> >>
> >> I'm just trying to understand if I maybe missing something here :)
> >>
> >> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <sv...@meiers.net> wrote:
> >>
> >>
> >>>
> >>> Well, if your validator doesn't approve the entered password your form
> >>> will
> >>> never accept the submit.
> >>> There's no way to bypass the validation.
> >>>
> >>> I'd prefer to check a password in onSubmit() though - but YMMW.
> >>>
> >>> Sven
> >>>
> >>> Sergey Podatelev schrieb:
> >>>
> >>> Hello,
> >>>
> >>>>
> >>>> I'm wondering, how safe is it to use a custom validator to check
> current
> >>>> password of the logged-in user, when he wants to change his password
> >>>> (say,
> >>>> on a profile page)?
> >>>> Are there are any potential security issues that can allow user to
> pass
> >>>> a
> >>>> validation?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> >>> For additional commands, e-mail: users-help@wicket.apache.org
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
sp
Re: How reliable Validators are?
Posted by Igor Vaynberg <ig...@gmail.com>.
what exactly is "heavy" ?
a validator accessing the database? why is that heavy?
it keeps a reference to the object that does the database check? why
is that heavy? there are plenty of things to make the lookup
lightweight such as wicket-spring and salve.
what exactly is too heavy about something like a UserNameValidator
that does everything to validate a username?
-igor
On Fri, Jun 6, 2008 at 12:03 PM, Sven Meier <sv...@meiers.net> wrote:
> The password check will probably require an access to your
> database/ldap/whatever, so your validator will need a reference to some
> singleton objects (service/dao/...).
>
> For my taste this is too heavy for a validator.
>
> Sven
>
> Sergey Podatelev schrieb:
>>
>> Okay, that is something I expected.
>> But can you please explain, why wouldn't you use validator for this?
>> It seems to be a good way to encapsulate certain functionality and if it
>> can't be bypassed, there're no security issues also.
>> Still, you'd use a check in onSubmit().
>>
>> I'm just trying to understand if I maybe missing something here :)
>>
>> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <sv...@meiers.net> wrote:
>>
>>
>>>
>>> Well, if your validator doesn't approve the entered password your form
>>> will
>>> never accept the submit.
>>> There's no way to bypass the validation.
>>>
>>> I'd prefer to check a password in onSubmit() though - but YMMW.
>>>
>>> Sven
>>>
>>> Sergey Podatelev schrieb:
>>>
>>> Hello,
>>>
>>>>
>>>> I'm wondering, how safe is it to use a custom validator to check current
>>>> password of the logged-in user, when he wants to change his password
>>>> (say,
>>>> on a profile page)?
>>>> Are there are any potential security issues that can allow user to pass
>>>> a
>>>> validation?
>>>>
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Sven Meier <sv...@meiers.net>.
The password check will probably require an access to your
database/ldap/whatever, so your validator will need a reference to some
singleton objects (service/dao/...).
For my taste this is too heavy for a validator.
Sven
Sergey Podatelev schrieb:
> Okay, that is something I expected.
> But can you please explain, why wouldn't you use validator for this?
> It seems to be a good way to encapsulate certain functionality and if it
> can't be bypassed, there're no security issues also.
> Still, you'd use a check in onSubmit().
>
> I'm just trying to understand if I maybe missing something here :)
>
> On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <sv...@meiers.net> wrote:
>
>
>> Well, if your validator doesn't approve the entered password your form will
>> never accept the submit.
>> There's no way to bypass the validation.
>>
>> I'd prefer to check a password in onSubmit() though - but YMMW.
>>
>> Sven
>>
>> Sergey Podatelev schrieb:
>>
>> Hello,
>>
>>> I'm wondering, how safe is it to use a custom validator to check current
>>> password of the logged-in user, when he wants to change his password (say,
>>> on a profile page)?
>>> Are there are any potential security issues that can allow user to pass a
>>> validation?
>>>
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Sergey Podatelev <br...@gmail.com>.
Okay, that is something I expected.
But can you please explain, why wouldn't you use validator for this?
It seems to be a good way to encapsulate certain functionality and if it
can't be bypassed, there're no security issues also.
Still, you'd use a check in onSubmit().
I'm just trying to understand if I maybe missing something here :)
On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <sv...@meiers.net> wrote:
> Well, if your validator doesn't approve the entered password your form will
> never accept the submit.
> There's no way to bypass the validation.
>
> I'd prefer to check a password in onSubmit() though - but YMMW.
>
> Sven
>
> Sergey Podatelev schrieb:
>
> Hello,
>>
>> I'm wondering, how safe is it to use a custom validator to check current
>> password of the logged-in user, when he wants to change his password (say,
>> on a profile page)?
>> Are there are any potential security issues that can allow user to pass a
>> validation?
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
sp
Re: How reliable Validators are?
Posted by Sven Meier <sv...@meiers.net>.
Well, if your validator doesn't approve the entered password your form
will never accept the submit.
There's no way to bypass the validation.
I'd prefer to check a password in onSubmit() though - but YMMW.
Sven
Sergey Podatelev schrieb:
> Hello,
>
> I'm wondering, how safe is it to use a custom validator to check current
> password of the logged-in user, when he wants to change his password (say,
> on a profile page)?
> Are there are any potential security issues that can allow user to pass a
> validation?
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: How reliable Validators are?
Posted by Sergey Podatelev <br...@gmail.com>.
I agree, not only they are useless, they are also pretty boring, I mean no
potential flaws or unlocked doors you have to worry about.
I'm glad there's finally a framework that doesn't eleminate the fun of
dealing with unpredictability of its components.
I sorry though if the stupidity of my question bothered you.
On Fri, Jun 6, 2008 at 10:03 PM, Igor Vaynberg <ig...@gmail.com>
wrote:
> wicket validators have been designed to work up to 90% of the time.
> there is a heuristic that determines when the validator should stop
> the form from submitting and when not. we find that validators that
> work 100% of the time are just not as useful.
>
> -igor
>
> On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev
> <br...@gmail.com> wrote:
> > Hello,
> >
> > I'm wondering, how safe is it to use a custom validator to check current
> > password of the logged-in user, when he wants to change his password
> (say,
> > on a profile page)?
> > Are there are any potential security issues that can allow user to pass a
> > validation?
> >
> > --
> > sp
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
sp
Re: How reliable Validators are?
Posted by Igor Vaynberg <ig...@gmail.com>.
wicket validators have been designed to work up to 90% of the time.
there is a heuristic that determines when the validator should stop
the form from submitting and when not. we find that validators that
work 100% of the time are just not as useful.
-igor
On Fri, Jun 6, 2008 at 10:35 AM, Sergey Podatelev
<br...@gmail.com> wrote:
> Hello,
>
> I'm wondering, how safe is it to use a custom validator to check current
> password of the logged-in user, when he wants to change his password (say,
> on a profile page)?
> Are there are any potential security issues that can allow user to pass a
> validation?
>
> --
> sp
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org