On Jan 15, 2006, at 9:56 PM, Allen Gilliland wrote:
would anyone object to the idea of removing the xdoclet generated
formbeans and instead just maintain the formbeans manually? I find
that
using the xdoclet generated formbeans is a bit confusing and at times
problematic.
-1
I don't see a the problem(s) here. Below are my counter arguments.
For one, xdoclet seems to generate some formbeans which aren't
actually
used, like PermissionsForm, ObjectAuditForm, and RoleForm.
That's easy to fix, just leave the @struts.form tag off of the POJO
and no
form will be generated.
Secondly, most of the xdoclet generated formbeans need to be extended
anyways because there isn't a 1-to-1 mapping between our pojo
attributes
and the fields we need on the web forms. I think having the "Ex"
formbeans just makes things more confusing.
Thirdly, the xdoclet generated formbeans always modify all
primitive and
basic attribute types or a pojo even if those attributes shouldn't be
changed. This coupled with the way we use the copyTo() and copyFrom()
methods is a bit lazy and insecure. We were recently bitten by
this one
on the profile page, where a malicious user could access and change
attributes that they shouldn't be able to.
Laziness is not necessarily a bad thing. Generating the forms reduces
the
chance of errors and the amount of code we have to write and maintain.
I don't think that hand written forms will make is more secure. You
still have to
think carefully about what should be copied.
If you don't like the behavior of the copyTo() and copyFrom()
methods, then
fix them in the struts-form.xdt template that we use to generate the
forms.
- Dave
