would anyone object to the idea of removing the xdoclet generated formbeans and instead just maintain the formbeans manually? I find that using the xdoclet generated formbeans is a bit confusing and at times problematic.
For one, xdoclet seems to generate some formbeans which aren't actually used, like PermissionsForm, ObjectAuditForm, and RoleForm. Secondly, most of the xdoclet generated formbeans need to be extended anyways because there isn't a 1-to-1 mapping between our pojo attributes and the fields we need on the web forms. I think having the "Ex" formbeans just makes things more confusing. Thirdly, the xdoclet generated formbeans always modify all primitive and basic attribute types or a pojo even if those attributes shouldn't be changed. This coupled with the way we use the copyTo() and copyFrom() methods is a bit lazy and insecure. We were recently bitten by this one on the profile page, where a malicious user could access and change attributes that they shouldn't be able to. I don't think we have enough formbeans to really make this unreasonable. I think this would only affect 10 or 12 formbeans, which isn't too bad. -- Allen
