(Doing this to obfuscate ASP.NET MVC Framework in web app.)
Have renamed the cookie name with static AntiForgeryConfig class via Helpers in Application_Start.
Global.asax:
AntiForgeryConfig.CookieName = "Test";
But still obvious AntiForgeryToken is being used due to input name:
Front End:
<input name="__RequestVerificationToken" type="hidden" value="blahblahblah" />
Arguably the value smells of MVC with encoding but not really sure what to about this. (Different issue really but comments/other approaches welcomed and appreciated regardless.)
After checking the source code on CodePlex, it appears that this value is hard-coded as a constant. So there's no easy way of changing this value. You can see this here: http://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.WebPages/Helpers/AntiForgeryConfig.cs
I'm surprised it's not configurable. Anyways, it appears that what you want to do is not possible.
However, I advice you create a feature request on Codeplex and hope they will implement it.
Note: If you want to go really hardcore, you could always download the code and make the modification, but this will probably give you more problems than it solves.
The answer to this StackOverflow question should get you started.
Changing the input name is non-trivial. Both the Html.AntiForgeryToken helper and the ValidationAntiforgeryToken attribute rely on the input name being "__RequestVerificationToken". If you want it to be something else, you will need to drop down into using the AntiForgery API and create your own versions of both helper and attribute to validate against your chosen name.
Related
We are applying localization in our application by using resx files and using it by calling Resources.Resource.Key and ResourceManager class to get the values of keys. Currently we are facing an issue that in some languages single (') and double quotes (") are appearing while in English resource there is no such thing like that. Problem is that when we calls javascript methods like alert('value') in code then it crashes because single quote within another single quote does not work. I know there is way to handle it by replacing single quote with "\'" but in order to fix this I need to write this code throughout the application. Is there any workaround that whenever I call the resource by calling above ways I mentioned earlier One method automatically called in which I can modify the value return by the resource. Waiting for your valuable suggestions. Thx
Anywhere you're referencing resources you should HTML encode the output. If you're using ASP.NET WebForms you can use <%: Resources.Strings.Something %>. If you're using the Razor view engine then it will be HTML encoded by default.
I want to retrieve the http method of the spring's <form:form> tag from inside a RequestDataValueProcessor in order to generate different hidden fields depending on it. I have access to the form action, but it seems there is no way to retrieve the http method of the form.
I am using Spring 3.2.
Edit: I have added an example.
Imagine the form below being retrieved with GET. What I want is to read the method parameter of the <form:form> tag in order to add a hidden field depending on the method. Obviously, I can't use request.getMethod() because this would return the method of the original request, not the method of the form being processed by RequestDataValueProcessor.
<form:form action="/foo/bar" method="post" modelAttribute="${modelAttribute}" >
<form:input path="myField" />
<input id="proceed" type="submit" value="Save" />
</form:form>
It seems that there is a pending issue to allow access to the form method in RequestDataValueProcessor.
This is the issue: https://jira.springsource.org/browse/SPR-10041
Definitely an open issue on Spring, but doesn't look like its going to be addressed soon.
Here is what you can do.. its not straight forward though, so weigh the cost vs benefit before you start :)
RequestDataValueProcessor will not work for you, you already know that. The way the FormTag is programmed, it calls specific methods (hooks) from the value processor at specific times, during the execution of the form tag.
You can create your own custom form tag, which will do everything Spring's form tag does, either by composition or inheritence. But in addition, you can call your own Value Processor esque class when the form method is detected by the tag. This class can then decide what additional steps you want to take and you can then use the regular ValueProcessor to add hidden fields as you see fit.
These questions talk about how to extend spring's tags, by creating your own: SpringMVC Custom Form Tags and Create a custom tag library which extends the Spring tag library.
Also look at the source code of the FormTag https://github.com/SpringSource/spring-framework/blob/master/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java. See how the protected processAction method calls the value processor hook, you'll have to do something similar, but in the getMethod method.
Hope this answer makes sense, let me know if you want me to re-phrase or elaborate any point.
Happy programming!
A little more information would be helpful such as what version of Spring you are using.
From the Spring 3.2 API Documentation for RequestDataValueProcessor, I see that there are four (4) methods that you could possibly be working within. In each of those, you have access to the HttpServletRequest.
Accordingly, you have access to whatever HTTP Method the inbound request was made with by calling (link):
request.getMethod()
This should give you exactly what you're looking for.
I'm currently working on a GWT project. The thing is, I find very hard to believe that I need to repeat some boilerplate over and over to bind the data from an EntityProxy (say a getSomeData() method) to a UI component (say a TextBox).
How do you guys overcome this issue? For now I have to create a method to read from the TextBox and set it to the EntityProxy, and a method to write to the TextBox after reading from the EntityProxy.
Basically, it's always the same! i.e.:
// Update the text box
T someData = entity.getSomeData();
textBox.setText(someData);
// Update the entity
String value = textBox.getText();
entity.setSomeData(value);
You get my point? I'm aware there is no Reflection at client side. I could use deffered binding but I'm not sure how or if it is a good approach with RequestFactory's EntityProxys.
Thank you
I use the technique you have defined in your question to push and collect data from my controls. Recently I have found out that there is a built-in feature of GWT called Editors. I didn't have a chance to try it myself yet but perhaps you want to check it out it seems promising. Also here is another useful link from Thomas Broyer's blog about Editors
I am building a site in which we are making moderate use of email templates. As in, HTML templates which we pass tokens into like {UserName}, {Email}, {NameFirst}, etc.
I am struggling with where to store these, as far as best practice goes. I'll first show the approach I took, and I'd be really excited to hear some expert perspective as a far as alternate approaches.
I created HTML templates in a folder called /Templates/.
I call a static method in my service layer, which takes in the following arguments:
UserName
UserID
Email
TemplatePath ("~/Templates")
Email Subject
Within the service layer I have my static method SendUserEmail() which makes use of a Template class - which takes a path, loads it as a string, and has a AddToken() Method.
Within my static SendUserEmail(), I build the token list off of the method signature, and send the email.
This makes for a quite long method call in my actual usage, especially since I am calling from the web.config the "TemplatePath", and "Email Subject". I could create a utility that has a shorter method call than the ConfigurationManager.AppSettings, but my concern is more that I don't usually see method signatures this long and I feel like it's because I'm doing something wrong.
This technique works great for the emails I have now, which at the most are using the first 3 tokens. However in the future I will have more tokens to pass in, and I'm just wondering what approach to take.
Do I create methods specific to the email needing to be sent? ie. SendNewUserRegistration(), SendMarketingMaterial(), and each has a different signature for the parameters?
I am using ASP.NET Membership, which contains probably the extend of all the fields I'll ever need. There are three main objects, aspnet_User, aspnet_Mebership and aspnet_profile. If it was all contained in one object, I would have just passed that in. Is there performance concerns with passing in all 3, to get all the fields I need? That is versus just passing in aspnet_User.UserID, aspnet_User.Email, etc?
I could see passing in a dictionary with the token entries, but I'm just wondering if that is too much to ask the calling page?
Is there a way to stick these in a config file of it's own called Templates.config, which has tags like -
<Templates>
<EmailTemplate Name="New User Registration">
<Tokens>
<UserName>
<UserID>
<Email>
</Tokens>
<Message Subject="Hi welcome...">
Hi {UserName}...
</Message>
</EmailTemplate>
</Templates>
I guess the main reason I'm asking, is because I'm having a hard time determining where the responsibility should be as far as determining what template to use, and how to pass in parameters. Is it OK if the calling page has to build the dictionary of TokenName, TokenValue? Or should the method take each in as a defined parameter? This looks out of place in the web.config, because I have 2 entries for and , and it feels like it should look more nested.
Thank you. Any techniques or suggestions of an objective approach I can use to ask whether my approach is OK.
First of all I would like to suggest you to use NVelocity as a template engine. As for main problem I think you can create an abstract class MailMessage and derive each one for every needed message (with unique template). So you will use this like following:
MailMessage message = new UserRegistrationMessage(tokens);
//some code that sends this message
Going this way you force each concrete XXXMessage class to be responsible for storing a template and filling it with the given tokens. How to deal with tokens? The simpliest way is to create a dictionary before passing it to the message, so each concrete message class will know how to deal with passed dictionary and what tokens it should contain, but you also need to remember what tokens it should contain. Another way (I like it more) is to create a general abstract type TokenSet and a derived one for every needed unique set of tokens. For example you can create a UserMessageTokenSet : TokenSet and several properties in it:
UserNameToken
SomeUserProfileDataToken
etc. So using this way you will always know, what data you should set for each token set and
UserRegistrationMessage will know what to take from this tokenSet.
There are a lot of ways to go. If you will describe you task better I think I will try suggest you something more concrete. But general idea is listed above. Hope it helps =)
Here's a wierd one. I'm reusing a code base that unfortunately must not be updated. This code makes a call to HttpContext.Current.Request.QueryString. Ideally, I need to push a value into this collection with every request that is made. Is this possible - perhaps in an HTTP Module?
Without using reflection, the simplest way to do it would be to use the RewritePath function on the current HttpContext object in order to modify the querystring.
Using an IHttpModule, it might look something like:
context.RewritePath(context.Request.Path, context.Request.PathInfo, newQueryStringHere!);
Hope this helps!
Ditto Espo's answer and I would like to add that usually in medium trust (specific to many shared hostings) you will not have access to reflection so ... RewritePath will remain your probably only choice.