On Wed, Jun 9, 2010 at 11:06 AM, Lincoln Baxter, III
<lincolnbaxter@gmail.com> wrote:
Yeah - Just saw that this morning. I'd like to see a way to implement this for ALL pages, not requiring a custom tag. I believe this could be done easily using the PreRenderViewEvent to add a hidden form field to store the token in all outbound forms, then use a phase-listener after Restore_View, comparing the request parameter to the restored component value. Very similar to the <s:token> component, but as a global solution that could be enabled/disabled via XML config.
Global solution is good. In fact, it's even more secure since it solves the "doh, I forgot to add the tag" security hole ;)
-Dan