Tuesday, March 9, 2010

Unsung Features of a Web Form Generator: security

Following on from the last blog entry, I thought I'd blog about another feature of Metawidget's id generation. I use this feature in my own apps, but it's not part of the core Metawidget distribution.

Like most things about Metawidget, id generation is pluggable. The Java Server Faces Metawidget comes with a ReadableIdProcessor that attaches ids to UIComponents based on a predictable camel-casing of their value binding. So, for example, if the component has a value binding...

<h:inputText value="#{contact.current.name}" />

...its id will be...

<input type="text" id="contactCurrentName" />

You can swap out this processor for your own, so for example you could generate ids with underscores...

<input type="text" id="contact_current_name" />

...or whatever convention suits your team. But you can plug in a processor to use no convention, or rather to use a completely random convention. Unusually for a Web framework, Java Server Faces actually doesn't much care what the component ids are. It uses them to map from the HTTP request back to the ViewState tree, but it doesn't really use them beyond that. They aren't, for example, used anywhere within the application code. This means they can be completely random if you want. In fact, they can change with every page request.

This makes for some pretty cool security. It makes writing a bot to perform brute-force logins, or post SPAM, much harder if all the field names are constantly changing and completely random. And it makes a Cross Site Request Forgery attack nigh-on impossible.

And best of all, you get it completely for free as part of letting Metawidget generate your ids.