locating DTD when upload an xml file

2002-07-11 Thread Yi-Xiong Zhou 

Dear helper, 

I am using Digester to parse an xml file from web upload. The DTD file is
also in the same directory of the xml file and specified in the xml file as
. 

Could anyone tell me the best way to handle this problem? 

One way I think about is to upload the DTD file and save it somewhere in the
application directory. This directory should be specified in
ApplicationResources.PROPERTIES file. Then upload the xml file and parse it
with the saved DTD file. Could anyone tell me how to set the directory to
the parser so that the parser will know where to look for the DTD file? I
also need to know how to save the DTD files in struts to a given path. 

Thanks. 

Yi-Xiong


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

How to use ApplicationResources.properties file to set default values in JSP?

2001-09-11 Thread Yi-Xiong Zhou 

I want to set the default row and col values in  from
ApplicationResources.properties. Does anyone know how to do that? 

The following way does not work apparently. 


Thanks. 

Yi-Xiong Zhou

IF statement in struts-config.xml

2001-08-06 Thread Yi-Xiong Zhou 

Hi, 

I think it will be very useful if struts can have IF statement in
struts-config.xml to control the  action. 

I am thinking of building a purely configurable system using struts
framework. A system whose actions can be reassembled and chained to make new
functionalities. IF statements are key to chain actions. 

Has any plan to implement the IF function in struts-config.xml underway? 

Yi-Xiong Zhou

How to set default values in FormBean from MessageResource?

2001-07-19 Thread Yi-Xiong Zhou 

Hi, 

I am trying to set the initial values of the parameters in a FormBean from
MessageResource. I called getServlet().getResources() in the bean
constructor method. However, getServlet() returned null. Do you have an idea
of why can't I get the servlet in the constructor? and how can get the
MessageResources?

Regards,

Yi-Xiong Zhou

container managed authentication

2001-07-06 Thread Yi-Xiong Zhou 

How do I perform additional process in struts at the time of authentication
if container managed authentication is used?

For example, after the user has just logged on, I want to initialize some
attributes in the session by loading in some data from the database. One way
to do that is to add a new method in Action to do such a process whenever a
new logon is detected. Then call that method at each implementation of
perform() method. Is there a better way to handle this task? 

Yi-Xiong Zhou

RE: Potential Security Flaw in Struts MVC

2001-05-08 Thread Yi-Xiong Zhou 

How can I am receiving this message again and again in two days? 
I have received over 10 copies of this message, at the rate of once every 3
hours. Is this a mail bomb?

Yi-Xiong

-Original Message-
From: Christian Cryder [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 11:15 AM
To: Struts-User
Subject: RE: Potential Security Flaw in Struts MVC


I usually just lurk on this list, but I think I'll pipe in here.

I think Jeff raises a valid point, and it's one of my particular gripes
about the webapp paradigm (certainly not Struts in general): every "action"
that is represented by URL is accessible if you know the right information
(or can guess it).

Here's an example. Let's say I have I have servlets (or JSPs, or whatever)
that do things like HireEmployee, FireEmployee, AdjustWages, PayBonus, etc.
Based on naming convention, if I have access to some of these functions I
might very well be able to guess the names of others. So I have to build
security into each of these functions, to ensure that the user is authorized
to do the task.

Now, for a simple app, this may not be too bad: just cut and paste the code
and you're on your way.  As the application grows in complexity, however
(either in the number of functions that need to be validated, or the code
that does the validation, or both), it becomes increasingly easy to
introduce bugs into the system. The developer might miscode a particular
security check. Or he might forget to add security for a newly created
function. If you have a system with hundreds or thousands of secure
functions, the chances of making errors increases significantly if you are
duplicating code in all those places, and any mistake results in a security
hole within your app.

Now, what are some possible strategies for dealing with this?

Well, in JSP's you could probably do includes to reuse the same physical
piece of code, or in Servlets you could delegate to some kind of common
security function. Neither of these situations solves the scenario however
where the developer forgets to invoke the proper security measures (maybe
they're not aware of the proper security for a task, or maybe they just made
a mistake). The point is that even though you're using includes or calling a
common authorization method (thereby reducing the amount of lines of
duplicated code), you are still relying on all of the actions to make the
call in the first place. If you have a system with hundreds of functions,
what are the odds that as that systems grows (new functions added, security
policies modified, etc) mistakes will creep in? Pretty good, in my
experience. And in the webapp environment such security holes are often more
accessible to the world at large.

What if you could define actions as belonging to a particular master class
of action. In other words, the example functions I gave above might all be a
subset of "MgrActions" or something like that? What would really be nice
would be for actions to be defined hierarchically, and to allow for
validations/authorization to be performed on a parent. So for instance,
rather than duplicating specific authorizations for HireEmployee,
FireEmployee, AdjustWages, PayBonus, it'd be nice to just write the
authorization code once for MgrActions, and know that it would automatically
get applied to any of the actions that "extend" the MgrAction. Then when you
add new actions, they would automatically "inherit" the security policies of
all their parent actions. If you need to modify security policies, you'd
only have to change the logic in one place.

I have no idea how you would implement something like this in Struts (or if
its even possible). In Barracuda, we were able to do this in our event
model. When client requests come in, they are translated to events, and for
every event that is dispatched, if that event implements a marker interface
called Polymorphic, then all the Event's parent events will be dispatched
first (since, after all, the target event "is an instance of" each of those
parent events). This pattern works extremely well for implementing policies
that apply to portions of an application. As the application evolves, you
only have to make changes to authorization logic in one place; new actions
automatically inherit their parents' policies; and if you ever need to add
new policies (like say logging all the MgrAction events plus all the
SrMgrAction events), all you have to do is change your event hierarchy and
add new listener code for the newly defined event. This logic would then
automatically apply to all events further down the chain.

Like I said, this has worked very well for us in Barracuda. I have no idea
how you'd apply this concept in Struts, but the pattern itself (hierarchical
events/actions) should be applicable to just about any web app framework.
The only limiting factor that I can think of is that in order to implement
hierarchy, you'd probably have to define your actions or events as real
objects, not just Strings.