This discussion is archived
9 Replies Latest reply: Mar 12, 2013 9:41 AM by 996292 RSS

form handler

333 Newbie
Currently Being Moderated
hi all,

form handler's handle methods return type is boolean, the question is here, when it will set false and when it will set true.

and where the success and failure url has been set.


Regards
333
  • 1. Re: form handler
    Rajeev_R Journeyer
    Currently Being Moderated
    The return value inform Dynamo that if it needs to continue processing the rest of the page after the current handler is finished.

    true - Normal processing of the remaining values continues, and the page specified by the form’s action attribute is served.
    false - No further values are processed process after the handler is called, and the rest of the page is not served. For example, a handler that redirects the user to another page should return false

    If it is a custom handler method, it is the developer responsibility to return appropriate value based on the above details.

    Success and Failure URLs can be set as properties in your Formhandler and set the values using the Formhandler Component (.properties file). You may also set this value from the JSP as a hidden control but not recommended due to security.

    From your handle method you may invoke checkFormRedirect(String pSuccessURL, String pFailureUrl, DynamoHttpServletRequest pRequest, DynamoHttpServletResponse pResponse)

    Cheers
    R

    Edited by: Rajeev_R on Feb 13, 2013 3:32 AM
  • 2. Re: form handler
    991157 Newbie
    Currently Being Moderated
    Rajeev is right. Check the docs for more info:
    http://docs.oracle.com/cd/E36434_01/Platform.10-1-2/ATGPlatformProgGuide/html/s0602handlermethods01.html
  • 3. Re: form handler
    971026 Newbie
    Currently Being Moderated
    can i know how does specifying the success and error URL in jsp as hidden variables effect the security?
    and why is it a good practice to specify in the .properties file.
  • 4. Re: form handler
    cmore Explorer
    Currently Being Moderated
    You are correct that sending elements in the form handler is less secure, but there are a couple of things that help limit the security impact.

    First is the session confirmation number which is, by default, required with a FormHandler form submission. This helps prevent some kinds of cross site scripting attacks in which a form rendered by someone else makes a post to your site via the customer's browser. Second is that newer versions of ATG do not allow off-site redirects without extra configuration (which helps with attacks that involve silently navigating away from your site to a site that can be used for phishing).

    If you do decide to configure per-redirect-target FormHandlers, the newer $basedOn Nucleus property can help limit the amount of repeated configuration needed.
  • 5. Re: form handler
    Rajeev_R Journeyer
    Currently Being Moderated
    The value of hidden variables can be modified by using a Firebug or Google Chrome and submit that value to your server. After processing the form the form handler redirects to the URL that set in the success or error URLs, that you have accepted as hidden variables but the value has been changed by a user. At this point the server will redirect this to a 3rd party website specified and it can be potentially a malicious URL.

    To avoid this ATG 10.1 has a servlet pipeline component called /atg/dynamo/servlet/pipeline/RedirectURLValidator. Set the enabled as true and you can define which are the outside hosts the system can redirect to (allowedHostNames property) .

    Cheers
    R
  • 6. Re: form handler
    996292 Newbie
    Currently Being Moderated
    Hi Rajeev_R,

    I installed the ATG 10.1 version on my laptop. However I'm not able to find the RedirectURLValidator servlet. Do you know the class name of this component?

    Thanks.
  • 7. Re: form handler
    Rajeev_R Journeyer
    Currently Being Moderated
    Try hitting the URL directly; http://localhost:8080/dyn/admin/nucleus/atg/dynamo/servlet/pipeline/RedirectURLValidator/

    The class used is atg.servlet.pipeline.RedirectURLValidatorService

    Cheers
    R
  • 8. Re: form handler
    Praveer.Rai Journeyer
    Currently Being Moderated
    $class=atg.servlet.pipeline.RedirectURLValidatorService
  • 9. Re: form handler
    996292 Newbie
    Currently Being Moderated
    Thanks, I found it.

    Regards.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points