Re: [OS-webwork] formbean vs. action

[Francisco Hernandez]

I had the same worries about this too, I just ended up null'ing the 
fields that were 'illegal' to set in the request.



Cameron Braid wrote:

One problem that comes to mind with this approach is that if someone
'hacks' the request, specifying parameters that aren't meant to be
coming in.
i.e - using your example 

Public class CreateInvoiceAction extends ActionSupport {
   private Invoice invoice = new Invoice();
   ...
}
<input type="text" name="invoice.poNum" value="${invoice.poNum}"/>
Calls getInvoice().setPoNum() to set the value.
If someone adds invoice.balance=0 to the http request, it will also be
automatically set onto the domain object.
I have a technique that can avoid this, for actions that are using the
JSP tag library to produce the forms.
It goes something like this :

A) in the taglibs, keep a list of the property names of each form field
B) store this list in the session, against the form token for retrival
on post
C) when the form is posted, obtain this list of form fields
D) the params interceptor only sets the properties defined in this list
This allows the form to define allowable properties to set on the target
action, therby 'protecting' unwanted request params from affecting
anything.


Cameron

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jason Carreira
Sent: Wednesday, 17 September 2003 10:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [OS-webwork] formbean vs. action
The fact that it's not a class built specifically for backing this
form... Struts requires you to build form beans which extend an abstract
base class. Here you're just using your same domain objects directly,
without a mapping layer.

-----Original Message-----
From: Anoop Ranganath [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 17, 2003 8:29 AM
To: [EMAIL PROTECTED]
Subject: Re: [OS-webwork] formbean vs. action


If you're using domain objects or persisting the data, I
would suggest

you use Object properties. Say, for instance, that you have
an Invoice

domain object. You might have an CreateInvoiceAction Action class:
Ah.  That's actually what I'm doing right now.  So what makes
this any 
different than a Form Bean then?  The fact that it's a POJO?

Anoop



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list 
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork