Re: Report to Recipient(s)
What is this message mean? - Original Message - From: "Paladin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 16, 2001 2:46 PM Subject: Report to Recipient(s) > Incident Information:- > > Originator:"Jeff Trent" <[EMAIL PROTECTED]> > Recipients:<[EMAIL PROTECTED]> > Subject: Re: quick question : form > > Message from "Jeff Trent" <[EMAIL PROTECTED]> was quarantined because > it contained banned content. > >
Re: quick question : form
Test message ... please ignore.
- Original Message -
From:
Jeff
Trent
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:46 PM
Subject: Re: quick question : form
This is a test message, please
ignore.
- Original Message -
From:
Rama
KrishnA
To: [EMAIL PROTECTED]
; [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:34
PM
Subject: Re: quicK question :
form
Thanks much Melissa. But, i want to know why
it does like this, when i call the reset manually.
rama.
- Original Message -
From:
MelissA
Rabin
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 11:19
AM
Subject: RE: quicK question :
form
Hi Rama. One quick & dirty way to solve your
problem is to add "success" as a string to the request object in the
perform method of your action class, and add a " line in your struts-config file (which will
return you to the page you posted the initial request). Add some jsp
code to check if the request attribute is null, which it will be when you
first load the page. After the request is posted and your action
class adds the string to the request (if all goes well), it should finish
up by returning you to your original jsp where you will now see your
"success" status message (e.g. <%=
request.getAttribute("status")%>
I hope this helps
Melissa
Web Engineer
-Original Message-From: Rama KrishnA
[mailto:[EMAIL PROTECTED]]Sent: Monday, July 16, 2001
2:07 PMTo: [EMAIL PROTECTED]Subject:
quick questioN : form
hi all,
i have a form and when i submit it i
perform some action and i forward it to the same form, but with a
message "success". now
- i want to reset all the fields (set to
default value)
- the url after submission is still
xxx.yy?action="save", where as i want the action to
be"create"
i tried calling reset method before
forwarding, it clears all the fields but doesn't show message "success"
and the url is still ?action="save"
can anyone help me??
thanks,
rama.
Re: quick question : form
Test message ... please ignore.
- Original Message -
From:
Jeff
Trent
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:46 PM
Subject: Re: quick question : form
This is a test message, please
ignore.
- Original Message -
From:
Rama
KrishnA
To: [EMAIL PROTECTED]
; [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:34
PM
Subject: Re: quicK question :
form
Thanks much Melissa. But, i want to know why
it does like this, when i call the reset manually.
rama.
- Original Message -
From:
MelissA
Rabin
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 11:19
AM
Subject: RE: quicK question :
form
Hi Rama. One quick & dirty way to solve your
problem is to add "success" as a string to the request object in the
perform method of your action class, and add a " line in your struts-config file (which will
return you to the page you posted the initial request). Add some jsp
code to check if the request attribute is null, which it will be when you
first load the page. After the request is posted and your action
class adds the string to the request (if all goes well), it should finish
up by returning you to your original jsp where you will now see your
"success" status message (e.g. <%=
request.getAttribute("status")%>
I hope this helps
Melissa
Web Engineer
-Original Message-From: Rama KrishnA
[mailto:[EMAIL PROTECTED]]Sent: Monday, July 16, 2001
2:07 PMTo: [EMAIL PROTECTED]Subject:
quick questioN : form
hi all,
i have a form and when i submit it i
perform some action and i forward it to the same form, but with a
message "success". now
- i want to reset all the fields (set to
default value)
- the url after submission is still
xxx.yy?action="save", where as i want the action to
be"create"
i tried calling reset method before
forwarding, it clears all the fields but doesn't show message "success"
and the url is still ?action="save"
can anyone help me??
thanks,
rama.
Re: quick question : form
This is a test message, please ignore.
- Original Message -
From:
Rama
KrishnA
To: [EMAIL PROTECTED]
; [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:34 PM
Subject: Re: quicK question : form
Thanks much Melissa. But, i want to know why it
does like this, when i call the reset manually.
rama.
- Original Message -
From:
MelissA
Rabin
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 11:19
AM
Subject: RE: quicK question :
form
Hi
Rama. One quick & dirty way to solve your problem
is to add "success" as a string to the request object in the perform
method of your action class, and add a " line in your struts-config file (which will
return you to the page you posted the initial request). Add some jsp
code to check if the request attribute is null, which it will be when you
first load the page. After the request is posted and your action class
adds the string to the request (if all goes well), it should finish up by
returning you to your original jsp where you will now see your "success"
status message (e.g. <%=
request.getAttribute("status")%>
I
hope this helps
Melissa
Web Engineer
-Original Message-From: Rama KrishnA
[mailto:[EMAIL PROTECTED]]Sent: Monday, July 16, 2001 2:07
PMTo: [EMAIL PROTECTED]Subject: quick
questioN : form
hi all,
i have a form and when i submit it i
perform some action and i forward it to the same form, but with a message
"success". now
- i want to reset all the fields (set to
default value)
- the url after submission is still
xxx.yy?action="save", where as i want the action to
be"create"
i tried calling reset method before
forwarding, it clears all the fields but doesn't show message "success"
and the url is still ?action="save"
can anyone help me??
thanks,
rama.
Re: quick question : form
This is a test message, please ignore.
- Original Message -
From:
Rama
KrishnA
To: [EMAIL PROTECTED]
; [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:34 PM
Subject: Re: quicK question : form
Thanks much Melissa. But, i want to know why it
does like this, when i call the reset manually.
rama.
- Original Message -
From:
MelissA
Rabin
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 11:19
AM
Subject: RE: quicK question :
form
Hi
Rama. One quick & dirty way to solve your problem
is to add "success" as a string to the request object in the perform
method of your action class, and add a " line in your struts-config file (which will
return you to the page you posted the initial request). Add some jsp
code to check if the request attribute is null, which it will be when you
first load the page. After the request is posted and your action class
adds the string to the request (if all goes well), it should finish up by
returning you to your original jsp where you will now see your "success"
status message (e.g. <%=
request.getAttribute("status")%>
I
hope this helps
Melissa
Web Engineer
-Original Message-From: Rama KrishnA
[mailto:[EMAIL PROTECTED]]Sent: Monday, July 16, 2001 2:07
PMTo: [EMAIL PROTECTED]Subject: quick
questioN : form
hi all,
i have a form and when i submit it i
perform some action and i forward it to the same form, but with a message
"success". now
- i want to reset all the fields (set to
default value)
- the url after submission is still
xxx.yy?action="save", where as i want the action to
be"create"
i tried calling reset method before
forwarding, it clears all the fields but doesn't show message "success"
and the url is still ?action="save"
can anyone help me??
thanks,
rama.
Re: quick question : form
This is a test message, please ignore.
- Original Message -
From:
Rama
KrishnA
To: [EMAIL PROTECTED]
; [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 2:34 PM
Subject: Re: quicK question : form
Thanks much Melissa. But, i want to know why it
does like this, when i call the reset manually.
rama.
- Original Message -
From:
MelissA
Rabin
To: [EMAIL PROTECTED]
Sent: Monday, July 16, 2001 11:19
AM
Subject: RE: quicK question :
form
Hi
Rama. One quick & dirty way to solve your problem
is to add "success" as a string to the request object in the perform
method of your action class, and add a " line in your struts-config file (which will
return you to the page you posted the initial request). Add some jsp
code to check if the request attribute is null, which it will be when you
first load the page. After the request is posted and your action class
adds the string to the request (if all goes well), it should finish up by
returning you to your original jsp where you will now see your "success"
status message (e.g. <%=
request.getAttribute("status")%>
I
hope this helps
Melissa
Web Engineer
-Original Message-From: Rama KrishnA
[mailto:[EMAIL PROTECTED]]Sent: Monday, July 16, 2001 2:07
PMTo: [EMAIL PROTECTED]Subject: quick
questioN : form
hi all,
i have a form and when i submit it i
perform some action and i forward it to the same form, but with a message
"success". now
- i want to reset all the fields (set to
default value)
- the url after submission is still
xxx.yy?action="save", where as i want the action to
be"create"
i tried calling reset method before
forwarding, it clears all the fields but doesn't show message "success"
and the url is still ?action="save"
can anyone help me??
thanks,
rama.
Re: Problem w/ session id under iplanet web server
I figured out the problem. For the interest of the mail archives, the solution is to use regular expressions in obj.conf. "*.do" is not enough for iPlanet (struts documentation should be ammended for this). I found I needed to use "*.do;jsessionid*" in addition to "*.do". This fixed the problem. Note: rules.properties didn't seem to work either since the servlet is running from tomcat, not iPlanet. -jeff - Original Message - From: Jeff Trent To: [EMAIL PROTECTED] Sent: Tuesday, June 26, 2001 10:57 AM Subject: Problem w/ session id under iplanet web server The first reference to a [struts] form generates an action="/myapp/formAction.do;jsessionid=xyz" As a result, iPlanet seems to not be able to complete my request and returns a 404 instead. GETs and POSTs behave the same way when the session id is passed. I'm sure its a simple iPlanet configuration issue but I'm stuck... Any help? Thanks, Jeff
Problem w/ session id under iplanet web server
The first reference to a [struts] form generates an action="/myapp/formAction.do;jsessionid=xyz" As a result, iPlanet seems to not be able to complete my request and returns a 404 instead. GETs and POSTs behave the same way when the session id is passed. I'm sure its a simple iPlanet configuration issue but I'm stuck... Any help? Thanks, Jeff
Re: HP Bluestone Struts Trailmap
This page did not display for me. Not a 404, but no content shown. - Original Message - From: "BONAIUTO,JAMES (HP-NewJersey,ex1)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 22, 2001 4:46 PM Subject: HP Bluestone Struts Trailmap > I will be adding to HP Bluestone's Struts trailmap: > http://gallery2.bluestone.com/scripts/SaISAPI.dll/Gallery.class/demos/trailM > aps/index.jsp > New trails on the trailmap will include Database connections (returning a > resultset and connection pooling) and Templates. Does anyone have any other > topics that they would like to see added? > > James Bonaiuto > HP Bluestone >
Re: Struts and iPlanet
Matt, Just curious, how have you faired with struts and IAS in general? - jeff - Original Message - From: "Matt Raible" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 15, 2001 9:20 AM Subject: Struts and iPlanet > Has anyone been successfully able to get the "struts-template" tag library > working on iPlanet Application Server 6.0 SP2. Here is a reference to the > library: > > http://jakarta.apache.org/struts/api/org/apache/struts/taglib/template/packa > ge-summary.html#package_description > > I was successfully able to get the "struts-logic" and "struts-bean" tag > libraries working, but I'm having no luck with the "struts-template" > library. > > Thanks, > > Matt > > > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > >
Re: Need help with updatable indexed properties.
Try looking in www.mail-archive.com under struts-user for the keywords
"Grid" or "Matrix". You'll find some material there.
- Original Message -
From: "Shamdasani Nimmi-ANS004" <[EMAIL PROTECTED]>
To: "struts-user@jakarta. apache. org (E-mail)"
<[EMAIL PROTECTED]>
Sent: Wednesday, June 13, 2001 11:52 AM
Subject: Need help with updatable indexed properties.
> Hi,
>
> Can someone please show me how to use the 'Iterate' and 'Select' tags
instead in JSP code below for the indexed properties some of which are
modifiable :
>
>
>
> <%SubmitQuotesForm
submitQuotesForm=(SubmitQuotesForm)session.getAttribute("submitQuotesForm");
%>
>
> <%for (int i=0; i <
submitQuotesForm.getRfqListBean().getTotalRfqCount();i++) {%> [WANT TO
USE ITERATE HERE]
>
>
>
>
<%=submitQuotesForm.getRfqListBean().getRfqList(i).getUsingLocationCode()%>
>
>
>
> [THIS HAS TO BE DROPDOWN
LIST. HOW TO USE SELECT TAG HERE]
>
<%=submitQuotesForm.getRfqListBean().getRfqList(i).getResponseIndicatorCode(
)%>
>
>
>
>
>
<%=submitQuotesForm.getRfqListBean().getRfqList(i).getManufacturerPartNbr()%
>
>
>
>
>
>
value="<%=submitQuotesForm.getRfqListBean().getRfqList(i).getSupplierQuotedP
rice()%>">
>
>
>
>
>
value="<%=submitQuotesForm.getRfqListBean().getRfqList(i).getPriceDescriptio
n()%>">
>
>
>
>
> <%}%>
>
>
>
> This is what my 'SubmitQuotesForm', 'RfqListBean' look like:
>
> public final class SubmitQuotesForm extends ActionForm {
>
> public SubmitQuotesForm() {
>
> }
>
> private RfqListBean rfqListBean = new RfqListBean();
>
>
> public RfqListBean getRfqListBean() {
> return rfqListBean;
> }
>
> public void setRfqListBean(RfqListBean rfqListBean) {
> this.rfqListBean = rfqListBean;
> }
>
> }
>
> public final class RfqListBean implements Serializable {
>
> public RfqListBean() {
> }
>
> private int totalRfqCount = 0;
> private RfqBean[] rfqList;
>
> public RfqBean getRfqList(int index) {
> return rfqList[index];
> }
>
> public void setRfqList(int index, RfqBean rfqBean) {
> this.rfqList[index] = rfqBean;
> }
> }
>
> and RfqBean is just a regular bean with various properties.
>
>
> TIA.
>
> -Nimmi
>
>
Re: Grid / Matrix Controls Made Easy (src included)
Here it is. - Original Message - From: "Tom Miller" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 10, 2001 8:50 AM Subject: Re: Grid / Matrix Controls Made Easy (src included) > Jeff > > I'm very interested in trying your code, but only the TLD was attached. > Would you please repost? > > Thanks > Tom Miller > > Jeff Trent wrote: > > > Attached, you will find a couple of new tags I wrote to extend the > > HTML tag library that comes with struts that will allow you to write > > grid-style JSP code that looks like the following: <% int i = > > 0; %> > > > property="items"> > > > > > > > property="name" index="<%= i %>" maxlength="nameMaxSize" > > size="30"/> > > > property="description" index="<%= i %>" maxlength="descriptionMaxSize" > > size="50"/> > > > valign="center"> > property="containerFlag" index="<%= i %>" value="Y"/> > > > > <% i++; %> > > Here is a synopsis of what I did:(1) > > added two tags called "gridtext" and "gridcheckbox" that are based on > > html:text and html:checkbox respectfully. Note: All of the others > > (ie. hidden, radio, select, etc.) need to eventually be handled in a > > similar fashion but this is all I needed for right now. I'll keep you > > posted on the rest as I create new gridXXX tags. Note 2: this code > > has in no way been endorsed by Apache / Struts. Therefore, buyer > > beware! This code could easily break in future releases to > > struts. (2) gridtext can now optionally take an index field. If > > no index is given, the behavior of gridtext degenerates to your > > vanilla html:text tag. If index is specified, it will use the correct > > semantics for referring to your iterated item in the collection. > > (3) gridtext can now optionally take a bean property name in place of > > a literal value for the maxlength. I felt this is more convenient > > than the alternative (using scriptlet). To use this style, make sure > > your underlying bean object (in the above case its the "item" bean), > > has a member called getNameMaxSize() which returns a string. Note: > > "size" still requires a literal, the bean will not be consulted if you > > use a property name instead. (4) gridcheckbox. Well, let me tell > > you - a lot was changed in gridcheckbox! I began by copying the code > > for checkbox tag over to gridcheckbox. I changed all private > > declarations over to protected, removed the 'final' on the class > > declaration, and fixed a few bugs along the way. Bugs included: (a) > > wrong target package, (b) used new RequestUtil to get bean value (not > > really a bug), (c) handle the value parameter correctly (in the 3.2.1 > > release, the value clause was being confused with the data coming back > > in the form post. gridcheckbox will really take your user-defined > > value and put it in the "value" attribute. Also, "checked" logic will > > use your "value" attribute and compare to datavalue posted from the > > form. If value is not specified, the default value will be > > "true"). (5) gridcheckbox can now optionally take an index field > > just like gridtext... Also, note: this has not been qa'ed properly. I > > wrote the code in under an hour and wham, here you go. If there are > > bugs you find in the indexing logic, feel free to let me know. A few > > words on checkboxes:As many of you know, if a form is posted and > > no checkboxes are checked, html (and therefore struts) will not fire > > the setter(s) for those checkbox properties. To solve this problem, > > you should depend on your reset() method on your form to clear out all > > of the checkbox values each time reset() is called. To incorporate > > this code, do the following:(1) make a backup of your > > struts-html.tld(2) overwrite your project-level struts-html.tld > > with the one attached.(3) put GridTextTag.java & > > GridCheckboxTag.java in your project.(4) send me email to let me > > know how you fared with them ;^) I'd like to hear from > > you. cheers,jeff > > -- > Tom Miller > Miller Associates, Inc. > [EMAIL PROTECTED] > 641.469.3535 Phone > 413.581.6326 FAX > > GridTextTag.java GridCheckboxTag.java
Re: Logic-Iterate not finding scope of Bean
Title: Logic-Iterate not finding scope of Bean I would suggest keeping a hidden property on your form that keeps the state that you are in (ie., 1stTimeQuery, or useQueryResults)... - Original Message - From: Luna, Kat To: [EMAIL PROTECTED] Sent: Thursday, June 07, 2001 2:57 PM Subject: Logic-Iterate not finding scope of Bean Hi all, me again with my afternoon question.. I have a UserAction class that extracts a list of Users from the database and stores them in an ArrayList. Success from this Action forwards to user.jsp which I want to display the list in table format. I have: <%@ page language="java" %> <%@ taglib uri="/WEB-INF/struts-logic.tld" prefix="logic" %> <%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %> ..etc but this causes the UserAction to run again (essentially calling the database and building the ArrayList again). Is there a way to have this bean init() when the jsp page loads and then iterate through the ArrayList instead of calling the Action first and then displaying the page? And if so, do I need to add anything to struts-config.xml to tell the page where to find/identify the UserAction bean? Thanks, Kat Luna Web Developer, BCE Emergis [EMAIL PROTECTED]
Re: Can anyone help with solving the "BACK" button problem, in th e browser?
Another approach I would recommend to solve this problem (haven't tried it
though), would be to check the request referer. If it is an empty string
then the user either clicked refresh or they typed in the URL into the
address field on their browser.
- Original Message -
From: "William Jaynes" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 08, 2001 7:40 AM
Subject: Re: Can anyone help with solving the "BACK" button problem, in th e
browser?
> Just a comment... Looks like your method of checking the RefreshOption
> property will only work if the scope of the ActionForm is "session".
> That's ok if one doesn't mind the use of resources.
>
> - Original Message -
> From: "Dudley Butt@i-Commerce" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, June 08, 2001 5:34 AM
> Subject: RE: Can anyone help with solving the "BACK" button problem, in
> th e browser?
>
>
> > well, this will blow all your socks off.
> > I got something to work, and remaining in line with my "REDUCE THE
> > JAVASCRIPT" policy
> > here is what i did...
> >
> > I just plugged some code into my actionhandler to evaluate a state
> property
> > on my actionform. If it was a certain state i either perform usual
> > processing or just by pass the processing and show the JSP which gets
> > rebuilt anyways...
> >
> > great!!
> >
> > public ActionHandlerResponse executeAction(ActionMapping mapping,
> > ActionForm form, HttpServletRequest request){
> >
> > System.out.println("In " + this.getClass());
> > actionFormObject = (Vat201ReturnActionForm)form;
> > aRequest = request;
> > ActionErrors errors = null;
> > if (actionFormObject.getRefreshOption()){ // IF THIS IS TRUE
> DONT
> > ALLOW ANY PROCESSING JUST REBUILD JSP
> > // THIS boolean GETS SET AFTER FIRST TIME PROCESSING
> > return new
> > ActionHandlerResponse(errors,mapping.findForward("success"));
> > }
> > errors = doFieldValidation();
> > if (errors != null) {
> > actionFormObject.setAction("Edit");
> > return new ActionHandlerResponse(errors, new
> > ActionForward(mapping.getInput()));
> > }
> > else {
> > errors = doReturnUpdate();
> > if (errors == null){
> >
> > return new
> > ActionHandlerResponse(errors,mapping.findForward("success"));
> > }
> > else {
> > actionFormObject.setAction("Edit");
> > return new ActionHandlerResponse(errors, new
> > ActionForward(mapping.getInput()));
> > }
> > }
> > file://return new ActionHandlerResponse(errors,
> > mapping.findForward("mainMenu"));
> > }
> >
> >
> >
> >
>
>
Fw: making src contributions
Nevermind, I found it. Very anticlimatic. - Original Message - From: "Jeff Trent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 06, 2001 10:02 AM Subject: Re: making src contributions > Thanks. BTW, how does one achieve the envious title of "commiter" :^)? > > - Original Message - > From: "Ted Husted" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, June 06, 2001 9:57 AM > Subject: Re: making src contributions > > > > Simple patches can be posted to Bugzilla and/or the Struts-Dev list. > > > > For an actual feature, you can open a thread on Struts-Dev about what > > you want to do. Based on what happens with that, you can submit a > > [PROPOSAL] message there detailing your plans, to see if anyone wants to > > help. Ultimately, post the source code to DEV or on a Web site someplace > > where others can try it out. > > > > The committers can then [VOTE] as to whether it should be added to the > > public codebase. > > > > > Jeff Trent wrote: > > > > > > How does one go about proposing / making struts src contributions for > > > next release? > > > > > >
Re: making src contributions
Thanks. BTW, how does one achieve the envious title of "commiter" :^)? - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 06, 2001 9:57 AM Subject: Re: making src contributions > Simple patches can be posted to Bugzilla and/or the Struts-Dev list. > > For an actual feature, you can open a thread on Struts-Dev about what > you want to do. Based on what happens with that, you can submit a > [PROPOSAL] message there detailing your plans, to see if anyone wants to > help. Ultimately, post the source code to DEV or on a Web site someplace > where others can try it out. > > The committers can then [VOTE] as to whether it should be added to the > public codebase. > > > Jeff Trent wrote: > > > > How does one go about proposing / making struts src contributions for > > next release? > > >
Re: Managing resource life cycle during request
>I'm not suggesting that coding this way is wrong. I would suggest that this
>isn't optimal model/view separation, which is one of the main motives for
>using Struts, right?
What really is true model/view separation. In the 15 years or so that I've
been coding, I find this to be more of an academic pursuit. The alternative
is to make it a collection which, imho, is not cleaner since it has its own
downsides.
My $0.02,
- jeff
- Original Message -
From: "Cook, Levi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 05, 2001 4:20 PM
Subject: RE: Managing resource life cycle during request
> Just a few notes:
>
> 1. Struts doesn't dissallow the operations you outline below. If you are
> using Struts, and you really need to do this, you can make the same calls
> from your Action implementation.
>
> public class SomeAction extends Action {
> public ActionForward perform(ActionMapping mapping, ActionForm form,
> HttpServletRequest request, HttpServletResponse response)
>throws IOException, ServletException {
> ServletContext context = servlet.getServletContext();
> RequestDispatcher dispatcher =
context.getRequestDispatcher();
>
> rs <-
> request.setAttribute("rs", rs);
> dispatcher.include(request, response);
> rs.close();
>
> // ActionServlet doesn't do any more response processing..
> return null;
> }
> }
>
> I'm not suggesting that coding this way is wrong. I would suggest that
this
> isn't optimal model/view separation, which is one of the main motives for
> using Struts, right?
>
> 2. My use of the term "acquiring" may have been wrong, or at least
> ambiguous. More accurately, I would suggest that view components should
not
> have knowledge of, or responsibility for non-memory, finite resources.
>
> 3. You must rely on Garbage collection in Java, you may not like its
> behaviors, but its all you get. Also, I would never suggest that you rely
on
> garbage collection to free, non-memory resources, like db-handles.
>
> -- Levi
>
>
>
> -Original Message-
> From: Jeff Trent [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 05, 2001 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Managing resource life cycle during request
>
>
> Levi,
>
> The view/JSP does not acquire the resource. Here is a sample of how the
> code use to work pre-struts:
> Servlet.doGet()
> {
> ...
> rs <-
> request.setAttribute("rs", rs)
>
> requestDispatcher.include()
>
> rs.close();
> }
>
> In JSP:
> ...
> rs = request.getAttribute("rs")
> while (rs.next())
> {
> ...
> }
>
> - - -
>
> The problem is that there is no appropriate counterpart in the world of
> struts. Sure, I can copy the row data to a collection and then walk the
> collection. But for various reasons, this may be inappropriate
(especially
> for large result sets represented by a cursor).
>
> Finally, you should not depend on garbage collection. The garbage
collector
> is not always called and its certainly not called as often as you would
want
> it to when you need to free scarce resources like db handles.
>
> - jeff
>
>
> - Original Message -
> From: "Cook, Levi" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, June 05, 2001 1:40 PM
> Subject: RE: Managing resource life cycle during request
>
>
> > Can you elaborate on your resource cleanup requirements?
> >
> > My view on designing a responsible object is that I must make sure it
> > eventually releases any, non-memory, finite resources it uses. This
design
> > strategy, coupled with garbage collection ensures my system doesn't run
> out
> > of those resources (eg. file handles, sockets, etc.).
> >
> > Given that ActionForms and JSPs should play the "view" role in Struts, I
> > would question a design that has them acquiring non-memory resources.
But,
> > alas, I don't know your system or situation..
> >
> > Regards,
> > Levi Cook
> >
> >
> > -Original Message-
> > From: Ted Husted [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, June 04, 2001 10:31 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Managing resource life cycle during request
> >
> >
> > I doubt that overriding ActionServlet.process() would work. The
> > controller sends back the response, and it's done. It's then up to HTTP
> > to deliver the view, usually a JSP.
> >
> > Any clean-up routine would have to be the responsibility of the view,
> > which puts you into the scriplet zone.
> >
> > Jeff Trent wrote:
> > >
> > > Well, it looks to me that short of overriding ActionServlet.process(),
> > there
> > > is no way one can clean-up resources after the page has been
rendered...
> >
Re: Managing resource life cycle during request
Levi,
The view/JSP does not acquire the resource. Here is a sample of how the
code use to work pre-struts:
Servlet.doGet()
{
...
rs <-
request.setAttribute("rs", rs)
requestDispatcher.include()
rs.close();
}
In JSP:
...
rs = request.getAttribute("rs")
while (rs.next())
{
...
}
- - -
The problem is that there is no appropriate counterpart in the world of
struts. Sure, I can copy the row data to a collection and then walk the
collection. But for various reasons, this may be inappropriate (especially
for large result sets represented by a cursor).
Finally, you should not depend on garbage collection. The garbage collector
is not always called and its certainly not called as often as you would want
it to when you need to free scarce resources like db handles.
- jeff
- Original Message -
From: "Cook, Levi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 05, 2001 1:40 PM
Subject: RE: Managing resource life cycle during request
> Can you elaborate on your resource cleanup requirements?
>
> My view on designing a responsible object is that I must make sure it
> eventually releases any, non-memory, finite resources it uses. This design
> strategy, coupled with garbage collection ensures my system doesn't run
out
> of those resources (eg. file handles, sockets, etc.).
>
> Given that ActionForms and JSPs should play the "view" role in Struts, I
> would question a design that has them acquiring non-memory resources. But,
> alas, I don't know your system or situation..
>
> Regards,
> Levi Cook
>
>
> -Original Message-
> From: Ted Husted [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 04, 2001 10:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Managing resource life cycle during request
>
>
> I doubt that overriding ActionServlet.process() would work. The
> controller sends back the response, and it's done. It's then up to HTTP
> to deliver the view, usually a JSP.
>
> Any clean-up routine would have to be the responsibility of the view,
> which puts you into the scriplet zone.
>
> Jeff Trent wrote:
> >
> > Well, it looks to me that short of overriding ActionServlet.process(),
> there
> > is no way one can clean-up resources after the page has been rendered...
>
Re: Managing resource life cycle during request
Well, it looks to me that short of overriding ActionServlet.process(), there is no way one can clean-up resources after the page has been rendered... - Original Message - From: "Jeff Trent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 04, 2001 10:54 PM Subject: Re: Managing resource life cycle during request > That's sounds okay for simple forms, but I'd rather not serialize objects > from a multi-row recordset to a collection every time. Too much overhead! > Let me put the question another way, in Struts, what method on the form or > action class gets called following the rendering of the input page? I'll > check source code now for this answer... > > - jeff > > - Original Message - > From: "Ted Husted" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 04, 2001 9:25 PM > Subject: Re: Managing resource life cycle during request > > > > The types of objects I use for presentation should be disposed and > > garbage collected. Here we would be talking about standard collections > > of mainly Strings and maybe a few primitive types. Anything kinky would > > be handled in the action. The view gets everything handed to it on a > > silver platter. > > > > Jeff Trent wrote: > > > > > > Ted, > > > > > > Just because the objects are held in the bean doesn't necessary mean > they > > > will automatically be cleaned-up. Am I missing something here? I also > > > agree, I don't want to be writing queries within the JSP. > > > > > > Thanks, > > > - jeff > > > >
Re: Managing resource life cycle during request
That's sounds okay for simple forms, but I'd rather not serialize objects from a multi-row recordset to a collection every time. Too much overhead! Let me put the question another way, in Struts, what method on the form or action class gets called following the rendering of the input page? I'll check source code now for this answer... - jeff - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 04, 2001 9:25 PM Subject: Re: Managing resource life cycle during request > The types of objects I use for presentation should be disposed and > garbage collected. Here we would be talking about standard collections > of mainly Strings and maybe a few primitive types. Anything kinky would > be handled in the action. The view gets everything handed to it on a > silver platter. > > Jeff Trent wrote: > > > > Ted, > > > > Just because the objects are held in the bean doesn't necessary mean they > > will automatically be cleaned-up. Am I missing something here? I also > > agree, I don't want to be writing queries within the JSP. > > > > Thanks, > > - jeff >
Re: Managing resource life cycle during request
Ted, Just because the objects are held in the bean doesn't necessary mean they will automatically be cleaned-up. Am I missing something here? I also agree, I don't want to be writing queries within the JSP. Thanks, - jeff - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 04, 2001 6:13 PM Subject: Re: Managing resource life cycle during request > In general, you should put everything you need for the presentation into > a JavaBean, release any other resources, and return just the bean in the > request. This way you also do things like immediately return the > connection to the pool (before anything bad happens). > > As and for an alternative, the Jakarta JDBC tags work great with Struts > too, if you like doing things on the page. > > Personally, I use mostly RowSets, which can be disconnected from the > data source as soon as the command completes. The Struts tags don't > support RowSets directly (yet) so I end up pounding the RowSet into a > value object bean and/or an ArrayList for iterate (though a fix for that > is in the works too). > > For more, see Part 2 of Strut by Strut under "Coming Soon" at < > http://www.husted.com/about/struts/ > > > -- Ted Husted, Husted dot Com, Fairport NY USA. > -- Custom Software ~ Technical Services. > -- Tel 716 737-3463. > -- http://www.husted.com/about/struts/ > > > > Jeff Trent wrote: > > > > I was wondering how other people deal with physical resource objects > > (eg. db result sets, etc.) during a request. Before struts, I use to > > allocate the resource, call request.setAttribute() with the resource > > object, call request dispatcher (to do jsp presentation), then clean > > up the resource back in the servlet upon return. In struts, this has > > all been abstracted out. Is there an alternative way to manage > > request-scoped resources like this under struts? > > > > thanks, > > jeff > > >
Managing resource life cycle during request
I was wondering how other people deal with physical resource objects (eg. db result sets, etc.) during a request. Before struts, I use to allocate the resource, call request.setAttribute() with the resource object, call request dispatcher (to do jsp presentation), then clean up the resource back in the servlet upon return. In struts, this has all been abstracted out. Is there an alternative way to manage request-scoped resources like this under struts? thanks, jeff
Re: Wizard form approach
Look at the mail archives. Basically, you carry two extra fields on your form, 'CurrentPage' and 'NextPage'. When validate is called, do validation against fields on the CurrentPage. - jeff - Original Message - From: "Todd Story" <[EMAIL PROTECTED]> To: "Struts-User (E-mail)" <[EMAIL PROTECTED]> Sent: Monday, June 04, 2001 10:28 AM Subject: Wizard form approach > Is anyone currently using multiple pages (same ActionForm) in a wizard-esque > manner? If so, how are you doing validation without knowing the details of > which elements are displayed on which page? In other words I'd like some > fields to be required without having the user to go back 3 pages. Thanks. >
Re: LIKE with PrepareStatement
Ted, I am assuming your query uses bind variable and you already know that offsets start with 1, and not 0. So besides that, the way I would get around this is by doing something like this: searchStr += "%" + searchStr + "%"; String strSql = "select x from y where y.z like ?"; ps.setString(1, searchStr); - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 31, 2001 3:58 PM Subject: OT: LIKE with PrepareStatement > Not directly Struts related, but anyway, I'm trying to use "LIKE '%?%'" > as part of a prepared statement, but it's coming back invalid array > index. Apparently, the symbols are hiding the question mark. Anyone know > a way around this, besides doing the substitution and escape-coding the > old-fashioned way? > > -- Ted Husted, Husted dot Com, Fairport NY USA. > -- Custom Software ~ Technical Services. > -- Tel 716 737-3463. > -- http://www.husted.com/about/struts/ >
Re: Any hosting sites that use Struts?
Problem is I'm looking for a hosting facility that offers Java + ASP hosting. Usually, I find these services lean one way or another. A bit off subject, but I'm wondering how these providers have their environment setup so that each user can have a separate App Server / VM, classpath, etc. and can be managed separately (on NT). If anyone knows, I'd be interested to hear from you... Tnx. - Original Message - From: Tom Miller To: [EMAIL PROTECTED] Sent: Thursday, May 31, 2001 10:30 AM Subject: Re: Any hosting sites that use Struts? I've had small Struts web apps hosted on www.aoindustries.com for several months now, and am happy with the service. They provide the entire Jakarta project software suite. They are a small shop, but have very friendly, competent tech support. Jeff Trent wrote: Anyone know of a hosting facility that offers Java web hosting + Struts?-- Tom Miller Miller Associates, Inc. [EMAIL PROTECTED] 641.469.3535 Phone 413.581.6326 FAX
Re: Precompiling JSP Pages?
This is definitely cool. Anyone know if such a thing exists for Tomcat?
-jt
- Original Message -
From: "Marc S. Penner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 3:12 PM
Subject: Re: Precompiling JSP Pages?
> This is the rule that I have used in the build.xml file for pre-compiling
> JSPs using WebLogic 6.0 jspc via an Ant build. Obviously the properties
> (e.g. CLASSPATH) and paths need to be set up properly for this to work.
>
>
>
> classpath="${CLASSPATH};${SRC_DIR}\docroot;${PROJECT_HOME}\stage"
> classname="weblogic.jspc"
> fork="yes">
>
>
>
>
>
>
>
>
>
>
> Marc
>
>
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
Re: Grid Support in Struts
I guess you didn't look very hard. There are examples as early as yesterday in the archives. - Original Message - From: "du Clos, John" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 31, 2001 9:19 AM Subject: Grid Support in Struts > > We currently have a business requirement to provide a "grid" type of > interface as part of many web pages in our design. I searched the list for > Grid examples or support and did not find anything. Has anyone implemented > a psudo grid function using Struts... that would support the following: > > col1 col2 col3 > ___ ___ ___ > row 1 |__ | |___| |__| > ___ ___ ___ > row 2 |__ | |___| |__| > ___ ___ ___ > row 3 |__ | |___| |__| > ___ ___ ___ > row 4 |__ | |___| |__| > > . > . > > Essentially, i believe we are looking for a solution that supports a > 2-dimensional array so we can reference it as ObjName(row,col). I read the > iterate tag documentation, but did not seem to be well suited for > multi-dimension. Any suggestions would be greatly appreciated. > > The additional business requirement is that we allow user to dynamically add > rows and columns... i found something on the list to support dynamically > adding rows w/iterate and some coding on the jsp, but nothing on dynamic > columns > > Thanks, > JD > > >
Re: Potential Security Flaw in Struts MVC
I've sure my ears will be ringing at home that night :^)
- Original Message -
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 1:01 AM
Subject: Re: Potential Security Flaw in Struts MVC
>
>
> On Mon, 7 May 2001, Jeff Trent wrote:
>
> > Ah, this maybe a problem in the way I've adapted Struts. I reflect all
UserForm method calls directly into the contained User object owned by the
UserForm. So for instance, I have
> >
> > public class UserForm extends ActionsForm
> > {
> > protected User user;
> >
> > ...
> >
> > public String getName()
> > {
> > return user.getName();
> > }
> >
> > public void setName(String name)
> > {
> > user.setName(name);
> > }
> >
> > ...
> >
> > }
> >
> > Now can you begin to see my original concern? Maybe I need to
> > separate the model from the form a little more than what I have.
> >
>
> This is where I can step in (better late than never :-) and point out that
> this is *not* the recommended design pattern for form beans. They really
> should be independent, and you really should decide what properties should
> be copied from UserForm to User in your Action (or the business logic that
> it calls).
>
> The important issue here -- and it's not unique to Struts, the issue is
> common to all web application environments -- is that you have absolutely
> zero control over what the client decides to send you. For example, if
> you rely on client side JavaScript for field validation, what happens when
> your client turns JavaScript off? You get garbage input, so you should
> always be paranoid and validate (again) on the server side.
>
> In the case at hand, nothing stops your user from logging on (so your
> security checks won't catch anything) and then hand typing a URL with
> query string parameters that maliciously or accidentally try to change
> things in the system. If the user is successful at doing this, it's shame
> on the app developer for listening to request parameters that you
> shouldn't.
>
> Of course, you need to take other defensive measures as well (like using
> the transaction control support to avoid accidental or malicious resubmits
> of the same data).
>
> For those of you going to JavaOne, I'm hosting a BOF on Thursday night at
> 7pm (BOF #1291) called "Approaches to User Authentication and Access
> Control in Web Applications". This discussion has given me some
> additional topical material to make sure that we cover.
>
> > - jeff
> >
>
> Craig McClanahan
>
>
Re: Question on the ActionForm design for dynamic data?
Here are two examples: This handles simple checkbox arrays. --- However, if you want to have rows of data (more then just checkbox's), I needed to do something like this: <% int i = 0; %> <% i++; %> Not the prettiest, but it works. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 30, 2001 12:39 PM Subject: Re: Question on the ActionForm design for dynamic data? > Hi Jeff, > > Does this really work for you ? It works fine for me, to put the information to > the screen, but the setting of the data back to the form on the return journey, > does not work for me. If the automatic calling of the setters supposed to work? > > I have code as below ... But the call > getRow.getElementAt(X).setCounterpartySelected(true); does not get called !!! > In your example, are the text values in your form REALLY being updated ? > > <% int i = 0; %> > id="row"> > > > > > > > > > <% i++; %> > > > Thanks in advance > Andre Glauser. > > -- -- > > >(1) Have a Vector / Collection of contributors (ie. > getContributors()) >belonging to your form. Inside that function, check to see if > you need >more rows by using code similar to the following: > >public Vector getCustomerContacts() > >CustomerContact lastCustomerContact = >(CustomerContact)this.customerContacts.lastElement(); >if (!lastCustomerContact.isEmpty()) >// is this slot being used? >this.customerContacts.addElement(new > CustomerContact()); >// always have one available slot at the end of the matrix > >return this.customerContacts; >} > >(2) Do not use the reset() method. > >(3) On your JSP, use code like this: ><% int i = 0; %> > name="adminUpdateProfileForm" >property="customerContacts"> > >name="customerContact[<%= i %>].contactName" value="<%= > > ((com.domain.project.CustomerContact)customerContact).getContactName() >%>"> >name="customerContact[<%= i %>].contactTitle" value="<%= > > ((com.domain.project.CustomerContact)customerContact).getContactTitle() >%>"> >name="customerContact[<%= i %>].contactPhone" value="<%= > > ((com.domain.project.CustomerContact)customerContact).getContactPhone() >%>"> > > <% i++; %> > > >(4) Have a button on the form "Add more rows" in which case the > form >posts to itself and will cause a new row to be added at the > bottom of >the grid. > > >Hope this help, >Jeff > >
Any hosting sites that use Struts?
Anyone know of a hosting facility that offers Java web hosting + Struts?
Re: Sample HDML/Wireless Struts Application
Never wrote a wireless app, but the code looks real nice... - Original Message - From: "Richard Backhouse" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 29, 2001 7:55 PM Subject: Sample HDML/Wireless Struts Application > For anyone who is interested, I have put together a sample hdml/wireless based > struts application. > > You can get the source and a pre-build j2ee binary at : > > http://www.oakgrovesoftware.com/~rbackhouse > > It is a simple shared contact database that phone users can access and > add/edit/delete contacts. You should be be able to getting it running with > either the default setup of JBoss/Tomcat or Orion. > > There is more information at the above link. > > Richard Backhouse > Oak Grove Software >
Re: Donating Xml Configurable Character filter
I disagree with this proposal. Your so called disallowed characters could be perfectly reasonable in certain contexts. For example, question marks are perfectly valid for capturing dailog. Parens are perfectly valid when capturing phone numbers, etc. There is some merit to your basic idea, however. I think what is instead needed is a way to encode/decode these special characters before they reach the form and once again before they reach the database. For example, '%' has special meaning on most relational databases so it would be nice to have a encoder (not a filter) which can handle the encode/decode process seemlessly. But on the other hand, this is not the goal of the struts framework. While you can argue that this encode/decode feature is appropriate for the form accessors, I doubt struts will ever provide for a way to encode/decode your db access. - jeff - Original Message - From: "Jonathan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 23, 2001 3:24 PM Subject: Re: Donating Xml Configurable Character filter > If you look closely, you will first see that the mapping is in memory, and > that it only does conversions for values that are in the map. What is not > in the map is not changed. If a value IS in the map, it will convert it to > what you have mapped it to. Regarding "overkill", it may or may not be. I > needed to use it because we are having the biggest problems with xml, > unicode characters, utf-8, and internationalization. It is not necessarily > to be used on the web tier alone, although it can be. You guys use that > "fast Hash Map", which could be employd here since its read only. Also, > people on the list have been looking for a character filter, and here is > one. It may be useful or not. You guys are the brains around here ;^> I'm > just trying to learn from you.=) > > Jonathan > > - Original Message - > From: "Nanduri, Amarnath" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 23, 2001 1:54 PM > Subject: RE: Donating Xml Configurable Character filter > > > > Hi Jonathan, > > > > This is interesting stuff you are sending. Don't you think it is a > bit > > of an overkill ? Correct me if i am wrong, on a heavy traffic website i am > > thinking this might slow down the applicationa lot. I am thinking of a > > simple filter which use the methods that String class provides. > > > > I think you can basically convert every string into a char array. > > Depending on the flag you convert either the allowedCharacters (or) > > disallowedCharacters into a char array. For every element of this array > you > > try to find an index into this input String. If index is != -1, the > > character is present in the input string. You then decide what you want to > > do with the character. Since i will be dealing with international > characters > > aswell, i can put the characters as an unicode value in the properties > file. > > That way i will have flexibility and ease of maintenance of the character > > set that i want to control in an application. Since the user input (per > > field) can at the max be around 50-250 characters, i don't think it will > be > > a performance hit. On a heavy volume application ( with > 100 users at a > > time ) i wonder what will be the performance hit ? I would really > appreciate > > your feedback on this. Thanks a lot. > > > > cheers, > > Amar.. > > > > > > -Original Message- > > From: Jonathan [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 23, 2001 1:03 PM > > To: [EMAIL PROTECTED] > > Subject: Donating Xml Configurable Character filter > > > > > > > > Character Filter Donation > > > > > > - Original Message - > > From: "Nanduri, Amarnath" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 23, 2001 9:39 AM > > Subject: Suggestions for Struts 1.1 TODO LIST Request Filtering > > technology for Struts > > > > > > > Hi Everybody, > > > > > > I would really like the opinion of the big heavyweights who > designed > > > this framework. I have a small but important suggestion to make for the > > > struts 1.1 todo list. > > > So far struts does not implement a filtering technology for incoming > > > requests which is very important in this hacker dominated world. I have > a > > > simple solution / change that can be made to the current version of > > struts > > > which would implement this filtering technology. This filter basically > > > filters out unwanted characters submitted by the user so that the > > database > > > will not be harmed. I propose that the BeanUtils.populate() method be > > > modified to include a filter(before calling the setters on the > > corresponding > > > form object). The filter() method takes the bad / unwanted characters > out > > > and give back a clean string. This clean string is then set in the > > > corresponding form setter method. This filter would read from a > > properties > > > file the following crite
Re: Architecture for a form-wizzard
I used one form bean and kept a field in it called 'page'. When validate is called, it only validates that one page. However, a few things I found was this: * By default, turn validate off (in struts-config). Call validate yourself from the action class. * Override reset() to do nothing. Other than that, its mostly cut and dry. Check out the mail archives for more example of wizards. - Original Message - From: "Jan Fredrik Øveraasen" <[EMAIL PROTECTED]> To: "STRUTS (E-mail)" <[EMAIL PROTECTED]> Sent: Wednesday, May 23, 2001 5:30 AM Subject: Architecture for a form-wizzard Hi I`m building a site that uses a application form that spans over several pages. How should I design this application? 1. With formBeans for every page 2. One formBean for the entire application form All suggestions appreciated Jan Fredrik ___ Jan Fredrik Øveraasen | Senior Systems Developer ___ Cell Network ASA | Pb. 5313, Sørkedalsv. 10A, N-0304 Oslo, Norway ___ Tel: +47 23196600/35 | Fax: +47 23196601 | Mob: +47 93 49 99 88 ___ http://www.cellnetwork.com/ | mailto:[EMAIL PROTECTED]
Re: Question on the ActionForm design for dynamic data?
Title: RE: Question on the ActionForm design for dynamic data?
Yes & Yes. While the form will be
automatically populated, you will, however, need to write your own validation
for the form & collection(s).
- Original Message -
From:
Joyce Tang
To: 'Jeff Trent
'
Sent: Monday, May 21, 2001 7:56 PM
Subject: RE: Question on the ActionForm
design for dynamic data?
Thank you Jeff.
I am wondering if the Struts can handle the validation of each
row? In the same time, will the form be automatically populated by the
form?
Thanks -Original
Message- From: Jeff Trent To: [EMAIL PROTECTED]
Sent: 5/20/01 5:11 AM Subject: Re:
Question on the ActionForm design for dynamic data?
(1) Have a Vector / Collection of contributors (ie.
getContributors()) belonging to your form.
Inside that function, check to see if you need more
rows by using code similar to the following: public Vector
getCustomerContacts() {
CustomerContact
lastCustomerContact = (CustomerContact)this.customerContacts.lastElement(); if
(!lastCustomerContact.isEmpty()) // is this slot being
used?
this.customerContacts.addElement(new CustomerContact()); // always have one available slot at the end of the matrix
return
this.customerContacts; }
(2) Do not use the reset() method. (3) On your JSP, use code like
this: <% int i = 0; %>
property="customerContacts"> name="customerContact[<%= i %>].contactName" value="<%=
((com.domain.project.CustomerContact)customerContact).getContactName()
%>"> name="customerContact[<%= i %>].contactTitle"
value="<%= ((com.domain.project.CustomerContact)customerContact).getContactTitle()
%>"> name="customerContact[<%= i %>].contactPhone"
value="<%= ((com.domain.project.CustomerContact)customerContact).getContactPhone()
%>"> <% i++; %>
(4) Have a button on the form "Add more rows" in which case
the form posts to itself and will cause a new row to
be added at the bottom of the grid. Hope this
help, Jeff
- Original Message - From:
Joyce Tang <mailto:[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Sent: Saturday, May 19, 2001 11:28 PM Subject: Question on the ActionForm design for dynamic data?
Here is the situation.
I am developing a system to maintain a contribution
plan. I need to input the plan information first
and add unlimited number of contributors, specifying
each share of the plan. So there will be a page
with contribution plan information and a list of all the contributors. The information you can edit on this page is
the percentage of share of each contributor.
Validation rules are: share need to add up to 100 and
share figure is an integer between 0 and 100. Since
the number of contributors is unknown in advance, how should I
design the ActionForm?
Thanks a lot,
Joyce
Getting Base deployment directory (Tomcat)
Quick Tomcat question: How can I retrieve the base deploy directory name so that I can use absolute URL paths to my action forms within an HREF? Thanks, Jeff
Re: Question on the ActionForm design for dynamic data?
Title: Question on the ActionForm design for dynamic data?
(1) Have a Vector / Collection of contributors (ie.
getContributors()) belonging to your form. Inside that function, check to
see if you need more rows by using code similar to the following:
public Vector
getCustomerContacts()
{ CustomerContact
lastCustomerContact =
(CustomerContact)this.customerContacts.lastElement();
if (!lastCustomerContact.isEmpty())
// is this slot being
used?
this.customerContacts.addElement(new CustomerContact());
// always have one available slot at the end of the
matrix
return this.customerContacts; }
(2) Do not use the reset() method.
(3) On your JSP, use code like this:
<% int i = 0;
%>
<% i++;
%>
(4) Have a button on the form "Add more rows" in
which case the form posts to itself and will cause a new row to be added at the
bottom of the grid.
Hope this help,
Jeff
- Original Message -
From:
Joyce Tang
To: [EMAIL PROTECTED]
Sent: Saturday, May 19, 2001 11:28
PM
Subject: Question on the ActionForm
design for dynamic data?
Here is the situation.
I am developing a system to maintain a contribution
plan. I need to input the plan information first and add unlimited
number of contributors, specifying each share of the plan. So there will
be a page with contribution plan information and a list of all the
contributors. The information you can edit on this page is the
percentage of share of each contributor. Validation rules are: share need to
add up to 100 and share figure is an integer between 0 and 100.
Since the number of contributors is unknown in advance, how should I design
the ActionForm?
Thanks a lot,
Joyce
Re: Indexed Grid Representation on a Form
What really is needed is a new html tag called "grid" or something that handles this more gracefully. Using the iterate tag seems to be a waste since I'm not really using it for anything other than a counter placeholder. I know its a departure from standard HTML form types but who the hell cares. This would be really useful addition instead of mixing html tags in with iterate tag to accomplish something that should be simple. Maybe I'll write a taglib for this... So reading your comments, Jim, it sounds like your using code analagous to this but your implementation uses a map instead (?) BTW, now that I'm using html field names like customerContactName[0].title, I find that conventional javascript to set focus doesn't work - I get javascript errors. Any ideas how to reference these fields? thanks, jeff - Original Message - From: "Jim Richards" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 17, 2001 10:24 PM Subject: Re: Indexed Grid Representation on a Form > > It should be: > > <% int i = 0; %> > > <% i++ ; %> > "/> > > > > You need to replace the whole string. The exception would have been from > the BeanUtils not able to understand what the [i] would have meant. If you > have an iterator in a scriptlet, then you need to always use a scriptlet > to access it. Usually. Mostly. > > I had a feeling there was a change made to iterate recently to give you > an index value, but I can't remember what it was. > > I usually use a Map and have the key as the integer value in the index > for the entry. Works well when you don't have liner numbering in the > list of key/value pairs. >
Re: Indexed Grid Representation on a Form
I ended up getting it to work thru this hack below. I'd be curious if someone was able to do this dynamic grid entry gracefully using struts!!! <% int i = 0; %> - Original Message - From: Jeff Trent To: [EMAIL PROTECTED] Sent: Thursday, May 17, 2001 10:12 PM Subject: Re: Indexed Grid Representation on a Form No, this still generates an exception. If I substitute i for 0 in your below example it works but that doesn't help me for the iteration. Thanks, jeff. - Original Message - From: Nanduri, Amarnath To: '[EMAIL PROTECTED]' Sent: Thursday, May 17, 2001 5:39 PM Subject: RE: Indexed Grid Representation on a Form <% int i = 0; %> <% i++ ; %> -Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 17, 2001 3:58 PMTo: [EMAIL PROTECTED]Subject: Indexed Grid Representation on a Form I think this should work (but obviously it doesn't). Can anyone tell me why? <% int i = 0; %> Where getCustomerContacts() returns a vector of CustomerContact objects & getCustomerConact(int offset) returns an CustomerContact element from that vector. thanks, jeff
Re: Indexed Grid Representation on a Form
No, this still generates an exception. If I substitute i for 0 in your below example it works but that doesn't help me for the iteration. Thanks, jeff. - Original Message - From: Nanduri, Amarnath To: '[EMAIL PROTECTED]' Sent: Thursday, May 17, 2001 5:39 PM Subject: RE: Indexed Grid Representation on a Form <% int i = 0; %> <% i++ ; %> -Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent: Thursday, May 17, 2001 3:58 PMTo: [EMAIL PROTECTED]Subject: Indexed Grid Representation on a Form I think this should work (but obviously it doesn't). Can anyone tell me why? <% int i = 0; %> Where getCustomerContacts() returns a vector of CustomerContact objects & getCustomerConact(int offset) returns an CustomerContact element from that vector. thanks, jeff
Indexed Grid Representation on a Form
I think this should work (but obviously it doesn't). Can anyone tell me why? <% int i = 0; %> Where getCustomerContacts() returns a vector of CustomerContact objects & getCustomerConact(int offset) returns an CustomerContact element from that vector. thanks, jeff
Can a Multibox be wired to use Vectors instead of String[]
I'd like my getters and setters on the form use Vectors instead of string arrays. Can this be accomplished? When I tried I got the following exception: Error: 500 Location: /csr/admin/seq_participant.doInternal Servlet Error:javax.servlet.ServletException: BeanUtils.populate at org.apache.struts.util.RequestUtils.populate(RequestUtils.java, Compiled Code) at org.apache.struts.action.ActionServlet.processPopulate(ActionServlet.java:1910) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1521) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404) at org.apache.tomcat.core.Handler.service(Handler.java:286) at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java, Compiled Code) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java, Compiled Code) at java.lang.Thread.run(Thread.java:479)
Re: page flow control
Do search for "Wizard" in mail-archive.com under struts-user. You'll find a few examples. - jeff - Original Message - From: "Nathan Coast" <[EMAIL PROTECTED]> To: "struts-user" <[EMAIL PROTECTED]> Sent: Wednesday, May 16, 2001 10:09 AM Subject: page flow control > Hi, > > In the site I'm developing, there are sections that have forms on consecutive > pages, I want to guarantee that pages are navigated: page1 -> page2 -> pageN. > At the same time allowing back and forward navigation to change values entered > on previous pages. After the last submit, the only valid page in the sequence > is then page1. I've had a look at the Struts Token functionality but I don't > think it can support this functionality. Is it possible with Tokens or some > other way? > > Thanks in advance > Nathan > >
Re: is it a bug of CheckboxTag
BTW, I found that this type of logic (forward) doesn't work if you are using templates. I needed to resort to redirects. - jeff - Original Message - From: "Jim Richards" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 15, 2001 1:52 AM Subject: Re: is it a bug of CheckboxTag > > Set the value to true in the ActionForm reset() method. > > Another thing is that you shouldn't call .jsp pages directly. They > should always be called through an Action first. From the exmaple, > the subscription page is called through (I think) editSubscription.do > to populate the form, and then forward to the .jsp page. > > At the top of the .jsp page you can then put something like > (and this is from memory, so I'm not sure of the exact > syntax) > > > > > > > JeanX wrote: > > > > Jim Richards wrote at 2001-05-15 14:48:00, > > >JeanX wrote: > > >> If I uncheck a checkbox, there is no corresponding parameter pair in request. > > >> So I can not get the right status of certain form. > > >> How to resolve it ? > > > > > >In you ActionForm reset method you need to set all the checkbox values > > >to false, as reset() is called before the form is populated. > > > > > >That way, the only values that get sent are the ones that need to be > > >set to true, and the ActionForm is correctly set. > > > > So if I wanna some checkbox default true, > > How can I do? >
Re: iterate header/footer
Title: iterate header/footer Mike, You should use the Tag. For example: <...table header...> See the mail archives for more info. - Original Message - From: Perham, Mike To: '[EMAIL PROTECTED]' Sent: Monday, May 14, 2001 8:17 PM Subject: iterate header/footer The main issue I have with the logic:iterator tag is the lack of support for iteration headers/footers. Is there some sort of support for this currently that I've missed? I'm talking about this: Name This would prevent any HTML from being generated if the collection is empty. I tried using the greaterThan tag but it does not support the Collection.size() property (since it's not a proper bean property name). Any suggestions as to how best to put this into Struts? Is the header/footer tag a good or bad idea and why? Mike
Initialization of Request-Scoped Objects
When myAction.do is called, I have a chance within reset() to initialize my request-scoped objects. However, if myAction.jsp is called instead then I can't seem to find a way to get initialized. Are there any methods called in my Action class when the .jsp file is invoked instead of the .do file?
Re: Checkbox Arrays
I don't know if this is the right thread. But I just got multibox working
in my app (including preservation of checkbox entries between forwards).
Let me share with you what I have to see if this helps:
in Jsp: (cleanSolutionAreaTypes in an Application-scoped Vector)
Solutions Area*
in Form:
protected String[] solutionAreaTypes = new String[0];
public String[] getSolutionAreaTypes()
{
return solutionAreaTypes;
}
public void setSolutionAreaTypes(String[] solutionAreaTypes)
{
this.solutionAreaTypes = solutionAreaTypes;
}
What was causing me some exceptions was this. I originally used another
application-scoped vector called "solutionAreaTypes" for other purposes
(like drop-down lists). That Vector contains an entry that has a null ID
value (eg. name = "--specify--" value=""). This was causing Struts to throw
a non-intuitive exception. I then created another Vector without this entry
in it and everything seems to work fine now. Of course I've only gotten it
to work about 15 minutes ago so I'll let you know later if it really works
;-)
- jeff
- Original Message -
From: "Peter Alfors" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 10, 2001 2:01 PM
Subject: Re: Checkbox Arrays
> Try pulling the bean value out into a script variable.
> Taglibs cannot be nested within another taglib as an attribute.
>
>
> Tony Karas wrote:
>
> > Yeah - I'm looking at that. My problem now is how to get the value for
each
> > checkbox. My bean has an "id" property - so I have tried this kind of
> > thing:
> >
> >
> >
> > "/>
> >
> >
> >
> >
> >
> > But it doesn't like having the bean:write embedded there. Am I missing
> > something obvious?
> >
> > Many thanks
> > Tony
> >
> > >From: Peter Alfors <[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Checkbox Arrays
> > >Date: Thu, 10 May 2001 11:09:18 -0500
> > >
> > >Im not sure how the ActionForm changes things, but without an
actionform
> > >your
> > >could do this
> > >
> > >Each checkbox can have the same name, but a different value.
> > >When the form is submitted, the checkboxes that have been checked are
in
> > >the
> > >request.
> > >You can use the request.getParameterValues("checkBoxName") to retrieve
a
> > >string
> > >array of the values for the checked boxes.
> > >
> > >HTH,
> > > Pete
> > >
> > >Tony Karas wrote:
> > >
> > > > Can anyone help with this?
> > > >
> > > > I have an array of checkboxes in my ActionForm represented by
> > > >
> > > > boolean[] delete;
> > > >
> > > > and I have a setter function
> > > >
> > > > public void setDelete( boolean[] values )
> > > > {
> > > > delete = values;
> > > > }
> > > >
> > > > The problem is that I have only checkboxes that are checked get sent
> > >back -
> > > > so if one checkbox is checked all I get is an array of length 1.
> > >Therefore,
> > > > it is not possible for me to determine which checkbox has been
checked.
> > > >
> > > > In the documentation it tells me to use reset() in ActionForm to
> > >initialise
> > > > the values - but this will only work with single checkboxes and not
> > >arrays.
> > > >
> > > > I think I'm stuck. Is there anyway I can determine which checkbox
has
> > >been
> > > > checked - maybe I can get the value to differ for each checkbox.
Will
> > >look
> > > > in to that.
> > > >
> > > > Cheers
> > > > Tony
> > ><< peter.alfors.vcf >>
> >
> >
_
> > Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.
>
Re: Bug in order of error presentment (html:error)
Thanks for the input Martin. This is helpful. Just curious, what is the
advantage in using the property name as opposed to GLOBAL_ERROR?
- Original Message -
From: "Martin Cooper" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 10, 2001 12:02 AM
Subject: Re: Bug in order of error presentment (html:error)
> The order of errors for a given property name will be preserved. However,
> the error lists are stored in a HashMap with the property name as the key,
> so the iteration order of those is not defined.
>
> If you are just using (that is, you are not specifying the
> property attribute), then you might consider using a common property name,
> or just ActionErrors.GLOBAL_ERROR. That way, all of your errors will be
> preserved in the order in which you added them.
>
> Alternatively, you could use multiple instances of the tag,
> one for each property, like this:
>
>
>
>
>
> Given your example, this isn't very practical for your situation, but it
> might be useful in cases where multiple errors for each of a small number
of
> properties is typical.
>
> --
> Martin Cooper
>
>
> - Original Message -
> From: "Jeff Trent" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, May 09, 2001 1:46 PM
> Subject: Bug in order of error presentment (html:error)
>
>
> In Form.Validate()
> {
> ...
> if (getCustomerContactName().length() <= 1)
> errors.add("customerContactName", new
> ActionError("error.customercontactname.required"));
>
> if (getCustomerContactPhone().length() <= 1)
> errors.add("customerContactPhone", new
> ActionError("error.customercontactphone.required"));
>
> if (getCustomerContactEmail().length() <= 1)
> errors.add("customerContactEmail", new
> ActionError("error.customercontactemail.required"));
> ...
> }
>
> In Properties file:
> error.customercontactname.required=Contact Name is a required
> field
> error.customercontactphone.required=Contact Phone is a required
> field
> error.customercontactemail.required=Contact Email is a required
> field
>
> Output from html:errors:
> Contact Phone is a required field
> Contact Name is a required field
> Contact Email is a required field
>
>
> Note the ordering. Name should have preceded Phone.
>
>
>
>
>
Re: Bug in order of error presentment (html:error)
Unless its implemented in terms of a hashtable,
no.
- Original Message -
From:
Nanduri, Amarnath
To: '[EMAIL PROTECTED]'
Sent: Wednesday, May 09, 2001 4:54
PM
Subject: RE: Bug in order of error
presentment (html:error)
I
don't think it is a bug. I think the is using an Iterator.
there is no guarantee of ordering in an Iterator. Correct me if i am
wrong.
cheers,
Amar..
-Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent:
Wednesday, May 09, 2001 4:47 PMTo: [EMAIL PROTECTED]Subject:
Bug in order of error presentment (html:error)
In Form.Validate()
{
...
if
(getCustomerContactName().length() <=
1)
errors.add("customerContactName", new
ActionError("error.customercontactname.required"));
if
(getCustomerContactPhone().length() <=
1)
errors.add("customerContactPhone", new
ActionError("error.customercontactphone.required"));
if
(getCustomerContactEmail().length() <=
1)
errors.add("customerContactEmail", new
ActionError("error.customercontactemail.required"));...
}
In Properties file:
error.customercontactname.required=Contact Name is
a required
fielderror.customercontactphone.required=Contact
Phone is a required
fielderror.customercontactemail.required=Contact
Email is a required field
Output from html:errors:
Contact Phone is a
required fieldContact Name is a required
fieldContact Email is a required
field
Note the ordering. Name should have
preceded Phone.
Bug in order of error presentment (html:error)
In Form.Validate()
{
...
if
(getCustomerContactName().length() <=
1)
errors.add("customerContactName", new
ActionError("error.customercontactname.required"));
if
(getCustomerContactPhone().length() <=
1)
errors.add("customerContactPhone", new
ActionError("error.customercontactphone.required"));
if
(getCustomerContactEmail().length() <=
1)
errors.add("customerContactEmail", new
ActionError("error.customercontactemail.required"));...
}
In Properties file:
error.customercontactname.required=Contact
Name is a required
fielderror.customercontactphone.required=Contact
Phone is a required
fielderror.customercontactemail.required=Contact
Email is a required field
Output from html:errors:
Contact Phone is a
required fieldContact Name is a required fieldContact
Email is a required field
Note the ordering. Name should have preceded
Phone.
Re: Override Input Form / JSP when Errors Are Encountered
Ah, okay. So I should call validate() within the action class directly then? I'll play around with this approach. - Original Message - From: William Jaynes To: [EMAIL PROTECTED] Sent: Wednesday, May 09, 2001 6:58 AM Subject: Re: Override Input Form / JSP when Errors Are Encountered Use 'validate="false"' as an action attribute to prevent a return to the input page after a failed validate. Struts will continue on to the action, and you'll need to decide what to do there. - Original Message ----- From: Jeff Trent To: [EMAIL PROTECTED] Sent: Tuesday, May 08, 2001 3:16 PM Subject: Override Input Form / JSP when Errors Are Encountered When validate() returns an error collection, the framework takes me back to the input page (page1). How do I override this? I have a multi-page input wizard as shown below. I'd like to stay on the page that resulted in the error instead of going back to page 1. type="com.x.WizardAction" name="wizardForm" scope="session" input="/page1.jsp">
Re: Override Input Form / JSP when Errors Are Encountered
Are you suggesting that I put the redirect in my
base input jsp on the condition that errors exist? No offense, but this
seems to be a hacky approach.
Are we saying here that there is no suggested
struts method to handle this situation?
- Original Message -
From:
Jonathan
To: [EMAIL PROTECTED]
Sent: Tuesday, May 08, 2001 5:43 PM
Subject: Re: Override Input Form / JSP
when Errors Are Encountered
String referrer =
request.getHeader(Referrer);
requestDispatcher requestDispatcher =
request.getRequestDispatcher
requestDispatcher.
forward(referrer);
- Original Message -
From:
Jeff
Trent
To: [EMAIL PROTECTED]
Sent: Tuesday, May 08, 2001 5:12
PM
Subject: Re: Override Input Form / JSP
when Errors Are Encountered
That doesn't work - that is my problem. I
don't have a chance to do this in my Action class since the presence of
errors generated in form.validate() triggers an immediate response by the
framework and redirection occurs automagically to the input form (page 1),
not the page which caused the error (eg page 2).
- Original Message -
From:
Nanduri, Amarnath
To: '[EMAIL PROTECTED]'
Sent: Tuesday, May 08, 2001 3:56
PM
Subject: RE: Override Input Form /
JSP when Errors Are Encountered
instead of mapping.findForward(mapping.getInput()
) use mapping.findForward("page2 or page3" )
;
-----Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent:
Tuesday, May 08, 2001 3:17 PMTo: [EMAIL PROTECTED]Subject:
Override Input Form / JSP when Errors Are
Encountered
When validate() returns an error
collection, the framework takes me back to the input page (page1).
How do I override this? I have a multi-page input wizard as shown
below. I'd like to stay on the page that resulted in the error
instead of going back to page 1.
type="com.x.WizardAction"
name="wizardForm"
scope="session"
input="/page1.jsp">
Re: Override Input Form / JSP when Errors Are Encountered
Interesting approach. Let me see if I can
explain this back to you to make sure I understand what you are
saying:
Does your Wizard.jsp look something like
this:
...
And somewhere at the top you have some logic to
determine which page your on based on direction and error
conditions?
*** I'm starting to feel like I'm at battle with
struts! There must be a way I can hook the error checking logic to
circumvent the redirect to the base input form. I guess its time to dig
thru the source code. What bothers me the most is that I feel like I'm not
doing anything outrageous here.
- jeff
- Original Message -
From:
Hicks,
James
To: '[EMAIL PROTECTED]'
Sent: Tuesday, May 08, 2001 5:56 PM
Subject: RE: Override Input Form / JSP
when Errors Are Encountered
Here
is the way I did it:
I am
using the template approach for the jsp files.
template.jsp is the template file
wizard.jsp has has the template tags
wizardpageX.jsp (where X is a number and corresponds to the number of
screens in your wizard) contains the presentation.
Inside of the wizardpageX.jsp there are 2 hidden fields (page and
direction). page holds the number of the page we are viewing
and direction holds the action we want to take ( next, previous, finish,
cancel). I use JavaScript to update the direction tag when one
of the buttons are pushed. The ActionForm can validate the input for the
page we are viewing based on the direction we want to go. If there are
any errors, we forward back to wizard.jsp ( the input file ).
wizard.jsp will look at the page property and decide which wizardpageX.jsp
file to display as the body of the template.jsp. If there aren't any errors, my Action object
will update the page property to the page we want to go and forward control
back to wizard.jsp.
James Hicks
-----Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, May 08, 2001 4:13
PMTo: [EMAIL PROTECTED]Subject: Re:
Override Input Form / JSP when Errors Are Encountered
That doesn't work - that is my problem. I
don't have a chance to do this in my Action class since the presence of
errors generated in form.validate() triggers an immediate response by the
framework and redirection occurs automagically to the input form (page 1),
not the page which caused the error (eg page 2).
- Original Message -
From:
Nanduri, Amarnath
To: '[EMAIL PROTECTED]'
Sent: Tuesday, May 08, 2001 3:56
PM
Subject: RE: Override Input Form /
JSP when Errors Are Encountered
instead of mapping.findForward(mapping.getInput()
) use mapping.findForward("page2 or page3" )
;
-Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent:
Tuesday, May 08, 2001 3:17 PMTo: [EMAIL PROTECTED]Subject:
Override Input Form / JSP when Errors Are
Encountered
When validate() returns an error
collection, the framework takes me back to the input page (page1).
How do I override this? I have a multi-page input wizard as shown
below. I'd like to stay on the page that resulted in the error
instead of going back to page 1.
type="com.x.WizardAction"
name="wizardForm"
scope="session"
input="/page1.jsp">
Re: Override Input Form / JSP when Errors Are Encountered
That doesn't work - that is my problem. I
don't have a chance to do this in my Action class since the presence of errors
generated in form.validate() triggers an immediate response by the framework
and redirection occurs automagically to the input form (page 1), not the page
which caused the error (eg page 2).
- Original Message -
From:
Nanduri, Amarnath
To: '[EMAIL PROTECTED]'
Sent: Tuesday, May 08, 2001 3:56 PM
Subject: RE: Override Input Form / JSP
when Errors Are Encountered
instead of mapping.findForward(mapping.getInput() )
use mapping.findForward("page2 or page3" )
;
-----Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent:
Tuesday, May 08, 2001 3:17 PMTo: [EMAIL PROTECTED]Subject:
Override Input Form / JSP when Errors Are Encountered
When validate() returns an error collection,
the framework takes me back to the input page (page1). How do I
override this? I have a multi-page input wizard as shown below.
I'd like to stay on the page that resulted in the error instead of going
back to page 1.
type="com.x.WizardAction"
name="wizardForm"
scope="session"
input="/page1.jsp">
Override Input Form / JSP when Errors Are Encountered
When validate() returns an error collection, the framework takes me back to the input page (page1). How do I override this? I have a multi-page input wizard as shown below. I'd like to stay on the page that resulted in the error instead of going back to page 1. type="com.x.WizardAction" name="wizardForm" scope="session" input="/page1.jsp">
Re: Application Scoped Object Initialization
Nevermind, I found a solution in the Tomcat archives regarding this. I created a dummy servlet that initializes my singletons. - Original Message - From: Jeff Trent To: [EMAIL PROTECTED] Sent: Tuesday, May 08, 2001 10:51 AM Subject: Application Scoped Object Initialization What is the suggested method for singleton, application scoped object initialization? Where & how does it happen? I want to create a singleton containing shared cached lists to be used in populating html:options with. Thanks.
Application Scoped Object Initialization
What is the suggested method for singleton, application scoped object initialization? Where & how does it happen? I want to create a singleton containing shared cached lists to be used in populating html:options with. Thanks.
Re: Potential Security Flaw in Struts MVC
Ted, I wish I had time. Now that I have three kids I can't spend any spare cycle(s) on anything but changing diapers! - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 7:46 PM Subject: Re: Potential Security Flaw in Struts MVC > This is open source. Anyone is welcome to jump in and join the > "management" by submitting code. > > Jeff Trent wrote: > > Therefore, if I haven't reached my quota today, I'd like to suggest to > > management that there is a bean property (or something) that results in form > > fields being propogated accross multiple pages of my request/form and are > > managed using hidden variables alone. This would be an alternative to using > > session scope but would accomplish the same thing. Again, all comments are > > welcome... >
Re: Potential Security Flaw in Struts MVC
Ah, this maybe a problem in the way I've adapted
Struts. I reflect all UserForm method calls directly into the contained
User object owned by the UserForm. So for instance, I have
public class UserForm extends
ActionsForm
{
protected User
user;
...
public String
getName()
{
return
user.getName();
}
public void setName(String
name)
{
user.setName(name);
}
...
}
Now can you begin to see my original concern?
Maybe I need to separate the model from the form a little more than what I
have.
- jeff
- Original Message -
From:
Bryan
Field-Elliot
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38 PM
Subject: Re: Potential Security Flaw in
Struts MVC
Either you are misunderstanding Struts, or I am
misunderstanding you.Struts will populate your UserForm for you, prior
to your UserAction being called. However, it is your responsibility to, within
UserAction, copy the values from UserForm to
User.BryanJeff Trent wrote:
00bd01c0d728$40864960$6401a8c0@PROVIDENCE"
type="cite">
Bryan,
This is good advice. However, I thought
the beans are populated off of the request outside of the control of my
Action class derivation. Therefore, copyProperties() doesn't
pertain.
- jeff
-
Original Message -
From: Bryan
Field-Elliot
To:
[EMAIL PROTECTED]
Sent:
Monday, May 07, 2001 1:14 PM
Subject:
Re: Potential Security Flaw in Struts MVC
There is a security risk here as you describe, if (and only
if) you are using a generic introspection-based function (like Struts'
PropertyUtils.copyBean) to copy the values from the UserForm object to the
User object. There are several ways to avoid this --1. Don't put
an admin flag "setter" method in your User class.2. In UserAction,
don't use the generic bean copy utility -- instead, manually copy the
values, excluding the admin flag.3. As a smarter alternative to #2,
don't use a generic bean copy utility -- instead, write an intelligent
copy function in the User class, which "knows" that it's copying FROM a
UserForm, TO a User, and therefore, skip the copying of the Admin
flag.BryanJeff Trent wrote:
002501c0d70b$9df009a0$6401a8c0@PROVIDENCE"
type="cite">
I may be wrong about this (only been
working w/ Struts for a week now). But I do see a potential
security flaw in struts that I would like to hear from others
regarding.
Consider a simple set of struts classes
that represent a user in a system. You would probably have classes that
look something like this:
User
(the model
representing the user)
UserForm (an enrollment form for a
new user)
UserAction (Saves the UserForm
information to db, etc)
The User class would have accessors and
modifiers like getFirstName(), setFirstName(),
getAdministrativeUserFlag(), setAdministrativeUserFlag(), etc. The
basic implementation of the UserForm is to take the UI form data,
introspect the beans, and call the correct modifier of the UserForm bean
based on the fields contained within the UI submission/form. A
developer of course would not expose the "Administrative User Flag"
option on the UI for enrollment (that would be found possibly in some
other administrative-level module). However, if someone is
familiar with the db schema and the naming convention the developer
used, that user could subvert the application by writing his own version
of the UI which contains an "Administrative User Flag" field (or any
other field for that matter) and the basic form processing in Struts
will kindly honor the request and set the "Administrative Flag" on the
user. Unless, of course, the developer makes special provisions to
prevent this behavior. However, its not entirely obvious to the
struts user (in my opinion) that this is even a concern. Am I
making sense here?
- jeff
Re: Potential Security Flaw in Struts MVC
True, the security realm validates if the request is legal. However, if the uderlying model objects are shared (User and UserForm objects in my example) for both admin and user level forms, then the request could be manipulated to set other fields beyond what was exposed for the normal user because struts takes each name, value pair in the request and calls the appropriate setter in the form for that name. Listen, it doesn't really matter. Its highly unlikely anybody can exploit this so I'm going to drop the issue. I don't want to appear to be a flame here. - jeff - Original Message - From: "Peter Alfors" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 4:14 PM Subject: Re: Potential Security Flaw in Struts MVC > Sure. You could create a jsp page that had the fields you would like, and even > call off a remote action from your own page. > However, if I route my actions through a security realm, then the requested > action will be denied because the current user is not logged in. Or.. If the > would be hacker is actualy a valid user on the system and has a > username/passsword, and he trys send his own page (along with additional fields) > it will still be caught by the secuirty realm. > The danger would exist if either form fields, or query string parameters were > being used as an action flag. > If the view, update, add, delete are different actions, then the user will be > required to have a valid login before the action will even be executed. > > Pete > > > Jeff Trent wrote: > > > No, I can write a form locaally and have the action run on your server... > > > > - Original Message - > > From: "Peter Alfors" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, May 07, 2001 1:56 PM > > Subject: Re: Potential Security Flaw in Struts MVC > > > > > Wouldn't the hacker have to get the new form class into the classpath of > > the > > > server since all of the code runs server side? > > > > > > > > > > > > Jeff Trent wrote: > > > > > > > That is not what my thinking was. But that could be an issue also. My > > > > concern is someone intentionally and maliciously creating a form to > > supply > > > > more parameters than originally intented by the developer. For > > instance, > > > > consider the UserForm fields: > > > > > > > > Name(available to enrollment & administrative interface) > > > > Address(available to enrollment & administrative interface) > > > > Phone(available to enrollment & administrative interface) > > > > Email(available to enrollment & administrative interface) > > > > ApprovedUserFlag(available to administrative interface only) > > > > AdministrativeUserFlag (available to administrative interface only) > > > > > > > > If a user knows your naming concention, they can write their own form to > > > > override the administrative-level fields above. > > > > > > > > - Original Message - > > > > From: "Anthony Martin" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Monday, May 07, 2001 11:59 AM > > > > Subject: RE: Potential Security Flaw in Struts MVC > > > > > > > > > Jeff, > > > > > > > > > > Are you asking if book marking a URL that contains query parameters > > might > > > > be > > > > > a security risk? > > > > > > > > > > > > > > > Anthony > > > > > > > > > > -Original Message- > > > > > From: Jeff Trent [mailto:[EMAIL PROTECTED]] > > > > > Sent: Monday, May 07, 2001 8:37 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Potential Security Flaw in Struts MVC > > > > > > > > > > > > > > > I may be wrong about this (only been working w/ Struts for a week > > now). > > > > But > > > > > I do see a potential security flaw in struts that I would like to hear > > > > from > > > > > others regarding. > > > > > > > > > > Consider a simple set of struts classes that represent a user in a > > system. > > > > > You would probably have classes that look something like this: > > > > > User(the model representing the user) > > > > > UserForm
Re: Potential Security Flaw in Struts MVC
This is a bit off subject but since I'm in commentary-mode today I'll also mention it. I need to give some background here first: As I mentioned in an earlier message, I worked on a fairly large web project (several million hits per day, tens of thousand user sessions per day). The app runs on 7 iPlanet web servers (Sun 420R) and 3 application servers (Sun 4500s) (formerly called Netscape Application Server - aka NAS). NAS load balances sessions & requests between the app servers in real time. As a result, Netscape advocates small as possible sessions sizes since session information is constantly being i/o'ed across the app servers. What led me to Struts initially was the belief that Struts can help me take the drudgery out of creating multi-page wizards (very prevalent in the app). However, I was a little dismayed to learn that in order to accomplish this I need to rely heavily on session scoped (not request) beans. This would cause the app servers to spend an enormous amount of time communicating with one another. Therefore, if I haven't reached my quota today, I'd like to suggest to management that there is a bean property (or something) that results in form fields being propogated accross multiple pages of my request/form and are managed using hidden variables alone. This would be an alternative to using session scope but would accomplish the same thing. Again, all comments are welcome... -jeff - Original Message - From: "Christian Cryder" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:52 PM Subject: RE: Potential Security Flaw in Struts MVC > I usually just lurk on this list, but I think I'll pipe in here. > > I think Curt raises a valid point, and it's one of my particular gripes > about the webapp paradigm (certainly not Struts in general): every "action" > that is represented by URL is accessible if you know the right information > (or can guess it). > > Here's an example. Let's say I have I have servlets (or JSPs, or whatever) > that do things like HireEmployee, FireEmployee, AdjustWages, PayBonus, etc. > Based on naming convention, if I have access to some of these functions > might very well be able to guess the names of others. So I have to build > security into each of these functions, to ensure that the user is authorized > to do the task. > > Now, for a simple app, this may not be too bad: just cut and paste the code > and you're on your way. As the application grows in complexity, however > (either in the number of functions that need to be validated, or the code > that does the validation, or both), it becomes increasingly easy to > introduce bugs into the system. The developer might miscode a particular > security check. Or he might forget to add security for a newly created > function. If you have a system with hundreds or thousands of secure > functions, the chances of making errors increases significantly if you are > duplicating code in all those places, and any mistake results in a security > hole within your app. > > Now, what are some possible strategies for dealing with this? > > Well, in JSP's you could probably do includes to reuse the same physical > piece of code, or in Servlets you could delegate to some kind of common > security function. Neither of these situations solves the scenario however > where the developer forgets to invoke the proper security measures (maybe > they're not aware of the proper security for a task, or maybe they just made > a mistake). The point is that even though you're using includes or calling a > common authorization method (thereby reducing the amount of lines of > duplicated code), you are still relying on all of the actions to make the > call in the first place. If you have a system with hundreds of functions, > what are the odds that as that systems grows (new functions added, security > policies modified, etc) mistakes will creep in? Pretty good, in my > experience. And in the webapp environment such security holes are often more > accessible to the world at large. > > What if you could define actions as belonging to a particular master class > of action. In other words, the example functions I gave above might all be a > subset of "MgrActions" or something like that? What would really be nice > would be for actions to be defined hierarchically, and to allow for > validations/authorization to be performed on a parent. So for instance, > rather than duplicating specific authorizations for HireEmployee, > FireEmployee, AdjustWages, PayBonus, it'd be nice to just write the > authorization code once for MgrActions, and know that it would automatically > get applied to any of the actions that "extend" the MgrAction. Then when you > add new actions, they would automatically "inherit" the security policies of > all their parent actions. If you need to modify security policies, you'd > only have to change the logic in one place. > > I have no idea how you would implement something like this in Strut
Re: Potential Security Flaw in Struts MVC
No, I can write a form locaally and have the action run on your server... - Original Message - From: "Peter Alfors" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:56 PM Subject: Re: Potential Security Flaw in Struts MVC > Wouldn't the hacker have to get the new form class into the classpath of the > server since all of the code runs server side? > > > > Jeff Trent wrote: > > > That is not what my thinking was. But that could be an issue also. My > > concern is someone intentionally and maliciously creating a form to supply > > more parameters than originally intented by the developer. For instance, > > consider the UserForm fields: > > > > Name(available to enrollment & administrative interface) > > Address(available to enrollment & administrative interface) > > Phone(available to enrollment & administrative interface) > > Email(available to enrollment & administrative interface) > > ApprovedUserFlag(available to administrative interface only) > > AdministrativeUserFlag (available to administrative interface only) > > > > If a user knows your naming concention, they can write their own form to > > override the administrative-level fields above. > > > > - Original Message - > > From: "Anthony Martin" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, May 07, 2001 11:59 AM > > Subject: RE: Potential Security Flaw in Struts MVC > > > > > Jeff, > > > > > > Are you asking if book marking a URL that contains query parameters might > > be > > > a security risk? > > > > > > > > > Anthony > > > > > > -Original Message- > > > From: Jeff Trent [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, May 07, 2001 8:37 AM > > > To: [EMAIL PROTECTED] > > > Subject: Potential Security Flaw in Struts MVC > > > > > > > > > I may be wrong about this (only been working w/ Struts for a week now). > > But > > > I do see a potential security flaw in struts that I would like to hear > > from > > > others regarding. > > > > > > Consider a simple set of struts classes that represent a user in a system. > > > You would probably have classes that look something like this: > > > User(the model representing the user) > > > UserForm(an enrollment form for a new user) > > > UserAction(Saves the UserForm information to db, etc) > > > > > > The User class would have accessors and modifiers like getFirstName(), > > > setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), > > > etc. The basic implementation of the UserForm is to take the UI form > > data, > > > introspect the beans, and call the correct modifier of the UserForm bean > > > based on the fields contained within the UI submission/form. A developer > > of > > > course would not expose the "Administrative User Flag" option on the UI > > for > > > enrollment (that would be found possibly in some other > > administrative-level > > > module). However, if someone is familiar with the db schema and the > > naming > > > convention the developer used, that user could subvert the application by > > > writing his own version of the UI which contains an "Administrative User > > > Flag" field (or any other field for that matter) and the basic form > > > processing in Struts will kindly honor the request and set the > > > "Administrative Flag" on the user. Unless, of course, the developer makes > > > special provisions to prevent this behavior. However, its not entirely > > > obvious to the struts user (in my opinion) that this is even a concern. > > Am > > > I making sense here? > > > > > > - jeff > > > >
Re: Potential Security Flaw in Struts MVC
I like it! I second this request totally! I too have been involved with large scale development projects and I can relate closely to what you are saying Chris. A simple implementation could be a new derivation off of Action called SecurityAction with an abstract method called validate (not like the form validate). This validate checks to see if the action is valid for the current http request / context. If you want to become more adventurous, have a default implementation instead which uses the configuration properties. - jeff - Original Message - From: "Christian Cryder" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:52 PM Subject: RE: Potential Security Flaw in Struts MVC > I usually just lurk on this list, but I think I'll pipe in here. > > I think Curt raises a valid point, and it's one of my particular gripes > about the webapp paradigm (certainly not Struts in general): every "action" > that is represented by URL is accessible if you know the right information > (or can guess it). > > Here's an example. Let's say I have I have servlets (or JSPs, or whatever) > that do things like HireEmployee, FireEmployee, AdjustWages, PayBonus, etc. > Based on naming convention, if I have access to some of these functions I > might very well be able to guess the names of others. So I have to build > security into each of these functions, to ensure that the user is authorized > to do the task. > > Now, for a simple app, this may not be too bad: just cut and paste the code > and you're on your way. As the application grows in complexity, however > (either in the number of functions that need to be validated, or the code > that does the validation, or both), it becomes increasingly easy to > introduce bugs into the system. The developer might miscode a particular > security check. Or he might forget to add security for a newly created > function. If you have a system with hundreds or thousands of secure > functions, the chances of making errors increases significantly if you are > duplicating code in all those places, and any mistake results in a security > hole within your app. > > Now, what are some possible strategies for dealing with this? > > Well, in JSP's you could probably do includes to reuse the same physical > piece of code, or in Servlets you could delegate to some kind of common > security function. Neither of these situations solves the scenario however > where the developer forgets to invoke the proper security measures (maybe > they're not aware of the proper security for a task, or maybe they just made > a mistake). The point is that even though you're using includes or calling a > common authorization method (thereby reducing the amount of lines of > duplicated code), you are still relying on all of the actions to make the > call in the first place. If you have a system with hundreds of functions, > what are the odds that as that systems grows (new functions added, security > policies modified, etc) mistakes will creep in? Pretty good, in my > experience. And in the webapp environment such security holes are often more > accessible to the world at large. > > What if you could define actions as belonging to a particular master class > of action. In other words, the example functions I gave above might all be a > subset of "MgrActions" or something like that? What would really be nice > would be for actions to be defined hierarchically, and to allow for > validations/authorization to be performed on a parent. So for instance, > rather than duplicating specific authorizations for HireEmployee, > FireEmployee, AdjustWages, PayBonus, it'd be nice to just write the > authorization code once for MgrActions, and know that it would automatically > get applied to any of the actions that "extend" the MgrAction. Then when you > add new actions, they would automatically "inherit" the security policies of > all their parent actions. If you need to modify security policies, you'd > only have to change the logic in one place. > > I have no idea how you would implement something like this in Struts (or if > its even possible). In Barracuda, we were able to do this in our event > model. When client requests come in, they are translated to events, and for > every event that is dispatched, if that event implements a marker interface > called Polymorphic, then all the Event's parent events will be dispatched > first (since, after all, the target event "is an instance of" each of those > parent events). This pattern works extremely well for implementing policies > that apply to portions of an application. As the application evolves, you > only have to make changes to authorization logic in one place; new actions > automatically inherit their parents' policies; and if you ever need to add > new policies (like say logging all the MgrAction events plus all the > SrMgrAction events), all you have to do is change your event hierarchy and > add new listener code for the newly defin
Re: Potential Security Flaw in Struts MVC
Bryan, This is good advice. However, I thought the beans are populated off of the request outside of the control of my Action class derivation. Therefore, copyProperties() doesn't pertain. - jeff - Original Message - From: Bryan Field-Elliot To: [EMAIL PROTECTED] Sent: Monday, May 07, 2001 1:14 PM Subject: Re: Potential Security Flaw in Struts MVC There is a security risk here as you describe, if (and only if) you are using a generic introspection-based function (like Struts' PropertyUtils.copyBean) to copy the values from the UserForm object to the User object. There are several ways to avoid this --1. Don't put an admin flag "setter" method in your User class.2. In UserAction, don't use the generic bean copy utility -- instead, manually copy the values, excluding the admin flag.3. As a smarter alternative to #2, don't use a generic bean copy utility -- instead, write an intelligent copy function in the User class, which "knows" that it's copying FROM a UserForm, TO a User, and therefore, skip the copying of the Admin flag.BryanJeff Trent wrote: 002501c0d70b$9df009a0$6401a8c0@PROVIDENCE" type="cite"> I may be wrong about this (only been working w/ Struts for a week now). But I do see a potential security flaw in struts that I would like to hear from others regarding. Consider a simple set of struts classes that represent a user in a system. You would probably have classes that look something like this: User (the model representing the user) UserForm (an enrollment form for a new user) UserAction (Saves the UserForm information to db, etc) The User class would have accessors and modifiers like getFirstName(), setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), etc. The basic implementation of the UserForm is to take the UI form data, introspect the beans, and call the correct modifier of the UserForm bean based on the fields contained within the UI submission/form. A developer of course would not expose the "Administrative User Flag" option on the UI for enrollment (that would be found possibly in some other administrative-level module). However, if someone is familiar with the db schema and the naming convention the developer used, that user could subvert the application by writing his own version of the UI which contains an "Administrative User Flag" field (or any other field for that matter) and the basic form processing in Struts will kindly honor the request and set the "Administrative Flag" on the user. Unless, of course, the developer makes special provisions to prevent this behavior. However, its not entirely obvious to the struts user (in my opinion) that this is even a concern. Am I making sense here? - jeff
Re: Potential Security Flaw in Struts MVC
Title: RE: Potential Security Flaw in Struts MVC Beyond the scope of my brain container class (maybe in a week or so I'll know how to translate what you just said in terms of what I know) :^> - Original Message - From: Jason Chaffee To: '[EMAIL PROTECTED]' Sent: Monday, May 07, 2001 1:28 PM Subject: RE: Potential Security Flaw in Struts MVC You can easily guard against this by using simple JavaBeans in the presentation layer and having your action class do the persistant storage from you JavaBean view layer. -Original Message----- From: Jeff Trent [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 9:50 AM To: [EMAIL PROTECTED] Subject: Re: Potential Security Flaw in Struts MVC That is not what my thinking was. But that could be an issue also. My concern is someone intentionally and maliciously creating a form to supply more parameters than originally intented by the developer. For instance, consider the UserForm fields: Name (available to enrollment & administrative interface) Address (available to enrollment & administrative interface) Phone (available to enrollment & administrative interface) Email (available to enrollment & administrative interface) ApprovedUserFlag (available to administrative interface only) AdministrativeUserFlag (available to administrative interface only) If a user knows your naming concention, they can write their own form to override the administrative-level fields above. - Original Message - From: "Anthony Martin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 11:59 AM Subject: RE: Potential Security Flaw in Struts MVC > Jeff, > > Are you asking if book marking a URL that contains query parameters might be > a security risk? > > > Anthony > > -Original Message- > From: Jeff Trent [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 8:37 AM > To: [EMAIL PROTECTED] > Subject: Potential Security Flaw in Struts MVC > > > I may be wrong about this (only been working w/ Struts for a week now). But > I do see a potential security flaw in struts that I would like to hear from > others regarding. > > Consider a simple set of struts classes that represent a user in a system. > You would probably have classes that look something like this: > User (the model representing the user) > UserForm (an enrollment form for a new user) > UserAction (Saves the UserForm information to db, etc) > > The User class would have accessors and modifiers like getFirstName(), > setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), > etc. The basic implementation of the UserForm is to take the UI form data, > introspect the beans, and call the correct modifier of the UserForm bean > based on the fields contained within the UI submission/form. A developer of > course would not expose the "Administrative User Flag" option on the UI for > enrollment (that would be found possibly in some other administrative-level > module). However, if someone is familiar with the db schema and the naming > convention the developer used, that user could subvert the application by > writing his own version of the UI which contains an "Administrative User > Flag" field (or any other field for that matter) and the basic form > processing in Struts will kindly honor the request and set the > "Administrative Flag" on the user. Unless, of course, the developer makes > special provisions to prevent this behavior. However, its not entirely > obvious to the struts user (in my opinion) that this is even a concern. Am > I making sense here? > > - jeff >
Re: Potential Security Flaw in Struts MVC
depends. He would have a session if he has enrolled already... - Original Message - From: Hogan, John To: '[EMAIL PROTECTED]' Sent: Monday, May 07, 2001 1:09 PM Subject: RE: Potential Security Flaw in Struts MVC Wouldn't this not be a concern because the user would never be in the session on the target server? -Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37 AMTo: [EMAIL PROTECTED]Subject: Potential Security Flaw in Struts MVC I may be wrong about this (only been working w/ Struts for a week now). But I do see a potential security flaw in struts that I would like to hear from others regarding. Consider a simple set of struts classes that represent a user in a system. You would probably have classes that look something like this: User (the model representing the user) UserForm (an enrollment form for a new user) UserAction (Saves the UserForm information to db, etc) The User class would have accessors and modifiers like getFirstName(), setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), etc. The basic implementation of the UserForm is to take the UI form data, introspect the beans, and call the correct modifier of the UserForm bean based on the fields contained within the UI submission/form. A developer of course would not expose the "Administrative User Flag" option on the UI for enrollment (that would be found possibly in some other administrative-level module). However, if someone is familiar with the db schema and the naming convention the developer used, that user could subvert the application by writing his own version of the UI which contains an "Administrative User Flag" field (or any other field for that matter) and the basic form processing in Struts will kindly honor the request and set the "Administrative Flag" on the user. Unless, of course, the developer makes special provisions to prevent this behavior. However, its not entirely obvious to the struts user (in my opinion) that this is even a concern. Am I making sense here? - jeff
Suggestion for Inclusion in HTML Bean
Can I suggest to any Struts developers listening that a new form tag called "static" be added which will simply return the current form value as static text...
Re: Potential Security Flaw in Struts MVC
Curt, I don't dispute what your saying. However, to the casual struts user this fact may be easily overlooked and exploited by a hacker. - jeff - Original Message - From: "Curt Hagenlocher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 12:10 PM Subject: RE: Potential Security Flaw in Struts MVC > > However, if someone is familiar with the db schema and the > > naming convention the developer used, that user could subvert > > the application by writing his own version of the UI which > > contains an "Administrative User Flag" field (or any other > > field for that matter) and the basic form processing in > > Struts will kindly honor the request and set the > > "Administrative Flag" on the user. Unless, of course, the > > developer makes special provisions to prevent this behavior. > > Creating a secure web application means that *every* HTTP > request should be checked for validity. Any data that comes > from the client is suspect. This is no more or less true > with Struts than without it. > > -- > Curt Hagenlocher > [EMAIL PROTECTED] >
Re: Potential Security Flaw in Struts MVC
That is not what my thinking was. But that could be an issue also. My concern is someone intentionally and maliciously creating a form to supply more parameters than originally intented by the developer. For instance, consider the UserForm fields: Name(available to enrollment & administrative interface) Address(available to enrollment & administrative interface) Phone(available to enrollment & administrative interface) Email(available to enrollment & administrative interface) ApprovedUserFlag(available to administrative interface only) AdministrativeUserFlag (available to administrative interface only) If a user knows your naming concention, they can write their own form to override the administrative-level fields above. - Original Message - From: "Anthony Martin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 11:59 AM Subject: RE: Potential Security Flaw in Struts MVC > Jeff, > > Are you asking if book marking a URL that contains query parameters might be > a security risk? > > > Anthony > > -Original Message- > From: Jeff Trent [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 8:37 AM > To: [EMAIL PROTECTED] > Subject: Potential Security Flaw in Struts MVC > > > I may be wrong about this (only been working w/ Struts for a week now). But > I do see a potential security flaw in struts that I would like to hear from > others regarding. > > Consider a simple set of struts classes that represent a user in a system. > You would probably have classes that look something like this: > User(the model representing the user) > UserForm(an enrollment form for a new user) > UserAction(Saves the UserForm information to db, etc) > > The User class would have accessors and modifiers like getFirstName(), > setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), > etc. The basic implementation of the UserForm is to take the UI form data, > introspect the beans, and call the correct modifier of the UserForm bean > based on the fields contained within the UI submission/form. A developer of > course would not expose the "Administrative User Flag" option on the UI for > enrollment (that would be found possibly in some other administrative-level > module). However, if someone is familiar with the db schema and the naming > convention the developer used, that user could subvert the application by > writing his own version of the UI which contains an "Administrative User > Flag" field (or any other field for that matter) and the basic form > processing in Struts will kindly honor the request and set the > "Administrative Flag" on the user. Unless, of course, the developer makes > special provisions to prevent this behavior. However, its not entirely > obvious to the struts user (in my opinion) that this is even a concern. Am > I making sense here? > > - jeff >
Potential Security Flaw in Struts MVC
I may be wrong about this (only been working w/ Struts for a week now). But I do see a potential security flaw in struts that I would like to hear from others regarding. Consider a simple set of struts classes that represent a user in a system. You would probably have classes that look something like this: User (the model representing the user) UserForm (an enrollment form for a new user) UserAction (Saves the UserForm information to db, etc) The User class would have accessors and modifiers like getFirstName(), setFirstName(), getAdministrativeUserFlag(), setAdministrativeUserFlag(), etc. The basic implementation of the UserForm is to take the UI form data, introspect the beans, and call the correct modifier of the UserForm bean based on the fields contained within the UI submission/form. A developer of course would not expose the "Administrative User Flag" option on the UI for enrollment (that would be found possibly in some other administrative-level module). However, if someone is familiar with the db schema and the naming convention the developer used, that user could subvert the application by writing his own version of the UI which contains an "Administrative User Flag" field (or any other field for that matter) and the basic form processing in Struts will kindly honor the request and set the "Administrative Flag" on the user. Unless, of course, the developer makes special provisions to prevent this behavior. However, its not entirely obvious to the struts user (in my opinion) that this is even a concern. Am I making sense here? - jeff
Re: locating .properties files
Title: RE: locating .properties files
I have the same problem ... I need to keep the
properties file in two places or else something gets wacked. Haven't had
the patience to research it any further...
- Original Message -
From:
Jason
Chaffee
To: '[EMAIL PROTECTED]'
Sent: Thursday, May 03, 2001 7:36
PM
Subject: RE: locating .properties
files
You shouldn't be adding WEB-INF/classes to your
classpath. This should be running as a web app.
You should have the following in your deployment desciptor and
you should have ApplicaionResoruces.properties in the WEB-INF/classes
directory:
ActionServlet
org.apache.struts.action.ActionServlet
application
ApplicationResources
config
/WEB-INF/struts-config.xml
locale
true
null
false
1
-Original Message- From: Nigel
Ainslie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 03, 2001 4:29 PM To: '[EMAIL PROTECTED]' Subject:
RE: locating .properties files
Hi Scott, I work with Matt.thanks
for the response. We have located the properties file
in WEB-INF/classes both at that directory level and at the directory
that the classes reside in
(WEB-INF/classes/sub-directory/actualcode.class) but
we still get the same error. Even tried adding $TOMCAT HOME.WEB-INF/classes to the classpath to no avail. Is there some subtlety that we are missing? Regards Nige
-Original Message- From: Scott
Walter [mailto:[EMAIL PROTECTED]]
Sent: Friday, 4 May 2001 7:18 To:
[EMAIL PROTECTED] Subject: Re: locating
.properties files
You should just have to put it somewhere in the
classpath (i.e. web-inf/classes)
scott. --- Matthew O'Haire
<[EMAIL PROTECTED]> wrote: >
> Where should I put .properties file(s) in my WAR
? > > Should they be in
the application .jar (where I put > the classes
that use the > properties files, ie. the helpers
used to implement > the struts Actions), or
> in the META-INF somewhere? >
> When I run the application under Forte it works
fine > with the .properties in > the META-INF/Classes directory, but once I've packed
> it up as a WAR it > doesn't
run. I getting a application generated >
runtime exception stating > that the properties
file was not found... > > I'm using the following code to locate and load the
> .properties: >
> Properties p = new
Properties(); > InputStream is =
> Thread.currentThread().getContextClassLoader().getResourceAsStream("datasour
> ce.properties"); > if (is == null) { > throw new
RuntimeException("ConnectionFactory: > could not
find > 'datasource.properties' configuration
file"); > } > p.load(is); >
> Any assistance would be greatly
appreciated. > >
Thanks, > Matt.
= ~~~ Scott
__
Do You Yahoo!? Yahoo! Auctions - buy
the things you want at great prices http://auctions.yahoo.com/
Re: Override the presentation of html:errors
Yes, this helps. I need to next research how
to do that ;^)
- Original Message -
From:
Natra, Uday
To: '[EMAIL PROTECTED]'
Sent: Tuesday, May 01, 2001 9:39 PM
Subject: RE: Override the presentation of
html:errors
When
U add Ur errors to the ActionErrors Collection in the perform() method of the
Action class, An object of type ActionErrors is saved in the request with a
key name "ERROR_KEY". There is a method on the ActionErrors class called
"get()" that returns a Iterator for a collection of ActionError objects.
You can use the Struts iterator tag to display the errors in Ur
own manner. Hope this helps.
Thanks,
Uday.
-Original Message-From: Jason Chaffee
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, May 01, 2001 5:43
PMTo: '[EMAIL PROTECTED]'Subject: RE:
Override the presentation of html:errors
The best way to handle errors is to name them
separatly and then access each one indiviually in your jsp. See the
Java docs for more info on error handling. It covers this approach
quite well.
-----Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Tuesday, May 01, 2001 1:36
PMTo: [EMAIL PROTECTED]Subject:
Override the presentation of html:errors
Short of writing my own taglib (which
I'd like to avoid if I can), how does one iterate over the errors
collection to present them in a different way. Any examples would be
helpful...
Thanks,
Jeff
Override the presentation of html:errors
Short of writing my own taglib (which I'd like to avoid if I can), how does one iterate over the errors collection to present them in a different way. Any examples would be helpful... Thanks, Jeff
What is the suggested style for including maxlength & size parameters in a form
For example, I find this style to be somewhat objectionable. Is there a better way?
Re: wizard style example, anywhere?
I followed the wizard example source code (see
below) but I have a problem in that my Form data gets recycled between pages of
the wizard. In another words, if I click next on page 1, then click prev
on page 2, my form data disappears from page 1. Why is this
happening?
Also, it appears that the Form object always exists
in the Action class. The example that comes with Struts shows conditional
logic that populates either the request or session attribute in the case where
the form is null.
- Jeff I use something like the following in my struts-config.xml file:
In page1.jsp I declare the following buttons:
Page2.jsp:
Page3.jsp
Page4.jsp
In my SignupForm.java I define all fields for each page. Then I have a
switch statement in the validate method to validate the data for each page:
public ActionErrors validate(ActionMapping mapping, HttpServletRequest
request)
{
ActionErrors errors = new ActionErrors();
switch (page)
{
case 1:
// Validate fields on page 1
case 2:
///
}
return errors;
}
Finally in the SignupAction.java I check for which button was pressed and
return the next or previous page:
public ActionForward perform(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws IOException, ServletException
{
HttpSession session = request.getSession();
SignupForm signupform = (SignupForm) form;
int page = signupform.getPage();
String label = request.getParameter("submit");
if (label != null)
{
if ("<< Prev".equals(label))// Previous was
pressed
{
return mapping.findForward("page"+(page-1));
}
else if ("Next >>".equals(label))// Next was pressed
{
return mapping.findForward("page"+(page+1));//
Finished was pressed
}
else if ("Finish".equals(label))
{
// Do finish work, add data to database, whatever
}
. return(mapping.findForward("success"));
I'm new to struts (about 2 weeks now). I tried to find examples but couldn't
find any. So I hacked out this. Perhaps if someone has a better way we can
all learn something new.
I hope this helps.
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 9:51 AM
Subject: wizard style example, anywhere?
> Hello struts-users,
>
> I am very new to Struts (or JSP for that matter), and in need of
> some examples that I can get my hands on.
>
> Specifically, an application that uses "wizard" style, multiple-page
> input forms would be very nice. Couple of Struts documents I looked
> mention that Struts works well with wizard style application, but I get
> confused when it comes to writing struts-config.xml, JSPs that share
> the same ActionForm or Action, etc.. I gotta see it working before I
> start building mine.
>
> Good examples, anywhere, anyone?
>
> thanks,
>
> - kazumi
>
How to embed bean:message within a template
Newbie here. Just wondering how to accomplish this using templates. Can't seem get the bean to evaluate the message text... Suggestions? I tried direct on & off but no luck. Thanks, Jeff
Looking for struts sample demonstrating multi paged wizards
Can any one point me the right direction for finding a sample app built on struts that demonstrates multi-paged wizards supporting previous,next, finish type actions for each page along the way? Thanks, Jeff
