In grails it is easy to add tokens to prevent form double submission and also the click hijacking.
Just add useToken="true" to the form tag:
<g:form ... useToken="true" >
But, this is not available for formRemote tag. I know that I can do normal form and write js code to transform them into ajax froms with token, but because of that is odd that is not supported by default in the formRemote tag.
Any reason for this, or is just (another) bug in Grails?
Related
For passing XSRF token with Struts2 forms, I have to put the token tag inside all forms. The baseline jsp in tiles-def can't have an all-encompassing form.
Have you ever extended the form tag to include token tag by default or know of some library that does that?
I haven't explored Freemarker template, so do not know if this is feasible or not. If there are no existing solution, I'll try to build my own.
To consolidate from the comments section,
1) Create a new theme
2) Extend "form-close.ftl" to this
<#s.token/>
<#include "/${parameters.templateDir}/xhtml/form-close.ftl" />
Add tokenSession (or token) interceptor in your stack.
With these changes, all struts forms will have a struts-token added without specifying <s:token> in each of them.
For wizard forms, is there any way we can configure the primefaces 4.0 make and client side validation instead of ajax validation?!
According to user guide the ajax validation is built in:
AJAX and Partial Validations
Switching between steps is based on ajax,
meaning each step is loaded dynamically with ajax. Partial validation
is also built-in, by this way when you click next, only the current
step is validated, if the current step is valid, next tab’s contents
are loaded with ajax. Validations are not executed when flow goes
back.
I think it can be done, if I can call primeface validation manually. Then below code will do the job:
<p:wizard showNavBar="false" widgetVar="wiz">
...
</p:wizard>
<h:outputLink value="#" onclick="PF('wiz').checkClientValidation();">Next</h:outputLink>
<h:outputLink value="#" onclick="PF('wiz').checkClientValidation();">Back</h:outputLink>
Any comments? Can I call client validation manually? Do you think above is good solution!
You can use a commandButton instead of outputLink and set the validateClient=true attribute.
Validations happen in the ValidationsPhase, so its partially client side only.
You don't need to trigger validation manually on the client side.
Is there any reason you have to use the outputLink ?
If you want to check the status of validations on the client side then you can use :
Example :
oncomplete="if (!args.validationFailed){PF('dialogId').show(); }"
Are there any way to call spring webflow action at primefaces in p:selectOneMenu?
There are two dependent combobox like as primefaces example.(link) But i want to call action which is defined at webflow transtion therefore i could not use p:ajax with actionlistener.
After search,i tried to use p:remoteCommand to call action.It execute action when parent combo change,but it also give captcha validation error (captcha at same form),therefore i set process="#this" to p:remoteCommand, when i set that i could not execute action.
You should be using remoteCommand to invoke SWF action. If you only want to submit a value for some components you can use process="componentIds" to send only the values of specified components. You may also want 'immediate=true' on the remoteCommand to skip JSF validation - this should stop error messages from captcha validation.
However, in my experience its not a good idea to use SWF actions for tasks like refreshing dependent comboboxes. Primefaces partial rendering is much better suited for this, and does not require gimmicks like SWF tags.
Please post your XML if immediate=true does not work.
How to validate a struts form loaded from ajax using form property validate="true"? (Maybe is better way than copy generated javascript in function that do submit form))
<s:form validate="true">
</sform>
is only useful, if you wanna do client validation, which only works with theme xhtml/ajax.
here is a link to explain how to implement client validation with struts2, i hope it helps you.
struts2 form vlidation
I have a "change password" page that needs to hash any passwords entered on the page via Javascript before sending. To complicate it, the page is loaded via a jQuery load() call, and is submitted by a jQuery.Form ajaxForm() call. Had everything working in MVC2, but MVC3 is giving me trouble.
That is, I have a page with a "Change Password" link that when clicked, loads the change password page into a jQuery modal popup, then the form on the change password page get's submitted via the jQuery.Form library (Essentially just wraps a $.ajax call), and returns it's result into the modal same modal popup.
Essentially, I have a model with two properties, OldPassword and NewPassword. I have two hidden fields generated by by view for these. They hold the hashed value of two other fields, PrehashOldPassword and PrehashNewPassword, and get updated via keyup events (I know, this means it does a whole SHA256 hash on every keyup... inefficient, but got the job doen for testing). The key here is that the regex validation and required field validation needs to be executed on these Prehash fields, which exist on the client side only (As obviously I don't want to transmit these fields to the server in any way).
So I manually create these two and add on the data-val-* attributes to the elements, i.e. they are NOT generated by the MVC helpers, etc. I am guessing that this is where I'm missing something. When the form submits with all fields empty, all of the errors popup that should, but the form goes right ahead and submits anyway.
==
So the things I've tried:
Yes, the unobtrusive library parse() method already get's called to parse the AJAX loaded form contents, and it appears to get all of the data validation stuff correctly, since I see the errors show up as fields blur(), and when I hit submit (before the ajax request completes and replaces the content of the popup).
Possible note: this call to the unobtrusive library's parse method happens AFTER the AJAX successfully loads the change password page into the popup... the AJAX form submit binding is put on document.ready of the loaded content, ergo, the AJAX form submission binding MAY be binding prior to, and thus firing before, the validation calls that the parse method may bind to the submit event...
However, (1) I am doing this same sort of thing in other places without issue, the ONLY DIFFERENCE being that I am manually putting these data-val-* attributes on elements I am creating manually! And (2), if I cause some kind of error on the OldPassword or NewPassword fields, i.e. a required field validation error by not loading a value into them, they display their error, and successfully STOP the form from submitting through the jQuery.Form method.
So I think something has to be wrong here:
<input id="PrehashNewPassword" type="password" name="PrehashNewPassword" data-val-required="The password field is required." data-val-regex-pattern="<%= RegexHelper.PasswordRegularExpression %>" data-val-regex="<%= RegexHelper.PasswordRegularExpressionError %>" data-val="true" />
I know that jquery.validate is getting the rules right, since I DO see the errors. It's just not stopping the form from submitting when their is an error in these manually generated elements, unless I do something like this, and add a pre-submit callback on the form's AJAX submission:
$("#ChangePasswordForm").ajaxForm({
beforeSubmit: function () { if (!$('#ChangePasswordForm').valid()) { return false; } },
target: '#overlay'
});
While this works, it is kind of ugly and I believe it causes the validation to be called twice... Not a huge deal, but less than ideal. So is there some other call that I need to make in the unobtrusive library to bind these?
Not sure if you found the problem, but you may try to
return false
in there if the form is not valid...
.
.
.
if (!$('form').valid()) {
return false;
}
// JSON POST...
.
.
.
If that doesn't work, then you could try to use:
$.validator.unobtrusive.parse($("#dynamicData"));
after dynamically adding your custom inputs. "dynamicData" is the ID of an element wrapped around the form
above found from here: http://weblogs.asp.net/imranbaloch/archive/2011/03/05/unobtrusive-client-side-validation-with-dynamic-contents-in-asp-net-mvc.aspx
Out of interest, what happens if you just get the form to validate?
<script type="text/javascript">
$("form").submit(function (evt) {
// validate here should trigger invalid fields
$('form').valid();
// JSON POST...
// stop form submitting
evt.preventDefault();
});
</script>