But wouldn't this technique break if you have 2 browser windows open?
----- Original Message -----
From: "Cameron Braid" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 17, 2003 7:48 PM
Subject: RE: [OS-webwork] formbean vs. action
> One problem that comes to mind with this approach is that if someone
> 'hacks' the request, specifying parameters that aren't meant to be
> coming in.
>
> i.e - using your example
>
> Public class CreateInvoiceAction extends ActionSupport {
> private Invoice invoice = new Invoice();
>
> ...
> }
> <input type="text" name="invoice.poNum" value="${invoice.poNum}"/>
> Calls getInvoice().setPoNum() to set the value.
>
>
> If someone adds invoice.balance=0 to the http request, it will also be
> automatically set onto the domain object.
>
>
> I have a technique that can avoid this, for actions that are using the
> JSP tag library to produce the forms.
>
> It goes something like this :
>
> A) in the taglibs, keep a list of the property names of each form field
> B) store this list in the session, against the form token for retrival
> on post
> C) when the form is posted, obtain this list of form fields
> D) the params interceptor only sets the properties defined in this list
>
> This allows the form to define allowable properties to set on the target
> action, therby 'protecting' unwanted request params from affecting
> anything.
>
>
>
> Cameron
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Jason Carreira
> Sent: Wednesday, 17 September 2003 10:40 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [OS-webwork] formbean vs. action
>
>
> The fact that it's not a class built specifically for backing this
> form... Struts requires you to build form beans which extend an abstract
> base class. Here you're just using your same domain objects directly,
> without a mapping layer.
>
> > -----Original Message-----
> > From: Anoop Ranganath [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, September 17, 2003 8:29 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [OS-webwork] formbean vs. action
> >
> >
> > > If you're using domain objects or persisting the data, I
> > would suggest
> > > you use Object properties. Say, for instance, that you have
> > an Invoice
> > > domain object. You might have an CreateInvoiceAction Action class:
> >
> > Ah. That's actually what I'm doing right now. So what makes
> > this any
> > different than a Form Bean then? The fact that it's a POJO?
> >
> > Anoop
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Opensymphony-webwork mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
