I changed the design of the fine grained protection mechanism. The insertCSRFToken method and logic is moved to the components, by using AOP techniques. A class transformation inserts component specific methods for the internal Tapestry components, which rely on the specific components. Additionally a generic XPath insertCSRFToken can be used for any kind of component. The mixin is then quite easy and calls the insertCSRFToken method. To make this possible all modified components implement the CSRFProtectable interface.
The demonstration app contains now also a BeanEditForm, that introduces some new problems. The @Protected annotation needs to work also on page level, because on components used in templates it is not possible to add an annotation in the event handler.
The demonstration app contains now also a BeanEditForm, that introduces some new problems. The @Protected annotation needs to work also on page level, because on components used in templates it is not possible to add an annotation in the event handler.
Keine Kommentare:
Kommentar veröffentlichen