ApplicationException sample

2005-07-18 Thread Rivka Shisman
Hi all,

 

Can someone please attach a sample of an ApplicationException,
BaseException & SystemException classes?

An example of catching them in an Action class will be very helpful too.

 

 

Thanks a lot

Rivka

 

**
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  
the 
sender immediately and do not disclose the contents to anyone or make copies.

** eSafe scanned this email for viruses, vandals and malicious content. **
**

Re: [OT] Cross-site scripting filters

2005-07-18 Thread Craig McClanahan
On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote:
> Ed Griebel wrote:
> > So it seems like you want to a) render untrusted HTML, and b) render
> > secure html. Sounds like the basic requirement is at odds? You could
> > do something like slashdot and other BB systems do: restrict the
> > amount of valid markup to make your parsing job easier.
> 
> Ultimately, restricting allowed markup helps but doesn't make the hard
> cases much easier :-) You're right that (a) and (b) conflict somewhat,
> though. But think about something like Google Mail: it needs to be able to
> display as much of a user's mail as possible whilst still remaining secure
> against XSS attacks.

I would imagine pretty much any blogging software that allows
restricted HTML in comments (or pretty much any Wiki software that
accepts some HTML for formatting, for that matter) has dealt with this
kind of issue.  Might be worth spelunking open source versions of
those projects for ideas.

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper

Ed Griebel wrote:

So it seems like you want to a) render untrusted HTML, and b) render
secure html. Sounds like the basic requirement is at odds? You could
do something like slashdot and other BB systems do: restrict the
amount of valid markup to make your parsing job easier.


Ultimately, restricting allowed markup helps but doesn't make the hard 
cases much easier :-) You're right that (a) and (b) conflict somewhat, 
though. But think about something like Google Mail: it needs to be able to 
display as much of a user's mail as possible whilst still remaining secure 
against XSS attacks.


Actually, I'm not sure if gmail *does* support showing HTML formatted email 
off hand, but you see what I mean.



Another idea, one single regexp won't do it, but have you thought of
making multiple passes through the data as a check? You could xlate
unicode, remove line splits, perform xml entity substitution, etc.,
then if it "passes", store the original html page as entered. I'm


I'm not sure I want ever to store a modified copy, but the multi-pass regex 
approach is valid in any case. It's probably the best way to go if you're 
not willing to use a complete HTML+CSS parser in your XSS filter.



guessing that your requirement is to store and re-present the original
markup as entered :-)


Pretty much, sans XSS hacks, of course :-)


Also, have you tried doing some research into what the PHP world does
to prevent it? It might give a good point of reference for Java.


I spent a little time hunting around in the PHP world today, though I've 
yet to find anything particularly useful. Most of the implementations I've 
looked at so far do a fairly minimal job to defeat just the most common 
sorts of attack.


L.


-ed

On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote:


Frank W. Zammetti wrote:


Yeah, wouldn't help you filter on output, but I pointer that out before :)


True enough :)



Note that it does allow you to specify your own regex, so in reality you
can filter for whatever you want.  I did this specifically so when
someone spots something I didn't think of it's easy to make it catch
those too.


The trouble is, I doubt it would be possible to construct a single regex
that did a robust job -- including handling of character references (as in
my example), differing syntax rules in embedded CSS, browser's recombining
keywords like 'javascript' that are split over multiple lines, etc. etc...



FYI, while I find it ironic to reference a Microsoft resource on a
security exploit, they actually do have a decent little page about XSS...

http://support.microsoft.com/default.aspx?scid=kb;en-us;252985


The solutions it discusses, though, really don't help much when the
requirement is to render untrusted HTML. There's a lot more detail on
what's involved in some of the CERT advisories, for example:

http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html

L.



Frank

Laurie Harper wrote:



Frank W. Zammetti wrote:



Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes
(good
for if your forwarding somewhere) for a list of characters (you can
alter
what it looks for via regex).




Ah, I initially skipped that package, thinking a servlet filter wasn't
really what I was after. Browsing through the code, it seems I was right.

For one thing, I want to filter text on output, not filter request
parameters on input. But more important, your filter only checks for
(and rejects) anything with a few particular characters -- all of
which are valid in most cases from an XSS-prevention standpoint.

For what it's worth, injecting XSS attacks through that filter is
pretty easy. For example, the following wouldn't be caught:

 

I'm hoping I can find something that addresses all the nefarious XSS
strategies out there. It's not easy to implement something that's
complete, especially when you try to deal with embedded CSS in the
HTML you're trying to sanitize...!

Thanks for the link though :-)





--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Name of the form

2005-07-18 Thread Ed Griebel
I ran into an issue similar to yours where I had a "search" form and a
"results" form. What I did was to use a nested form bean, with one
nested form bean being the search parameters, and another nested form
bean being the results. Both actions knew that the form was nested (as
did the two separate forms displayed in the jsp), but each only used
the nested form bean that it needed to know about, which made changes
to the nested forms and actions independant of the other form/action.
This was with POJO, not declared, form beans too. A variation on this
is to have a POJO action form extend another one. You should be able
to do this and preserve the data in both forms, but I havent' worked
much with doing this, I have had odd sporadic problems doing this in
early versions of 1.1.

This works when the two actions/forms are relatively coupled. If they
are not, you might want to think about using VOs instead of form beans
and storing them in the session, and using BeanUtils.copyProperties()
to move things from the form bean to/from the VO.

-ed

> N G wrote:
> > I need to instantiate a form that is not associated with my particular
> > action and place it on the request before forwarding...
> >
> > Right now I have to hardcode the name of the form as the key into the
> > request scope. I know that you can get the configured name of the form
> > that IS associated with your action by doing mapping.getAttribute().
> > However, how do I get the configured name of the form with just
> > knowing the fully qualified class name?
> >
> > Is there a way to do this?
> >
> > Are there any other suggestion as to how NOT to hardcode the name of the 
> > form.
> >
> > Thanks,
> > NG
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Ed Griebel
So it seems like you want to a) render untrusted HTML, and b) render
secure html. Sounds like the basic requirement is at odds? You could
do something like slashdot and other BB systems do: restrict the
amount of valid markup to make your parsing job easier.

Another idea, one single regexp won't do it, but have you thought of
making multiple passes through the data as a check? You could xlate
unicode, remove line splits, perform xml entity substitution, etc.,
then if it "passes", store the original html page as entered. I'm
guessing that your requirement is to store and re-present the original
markup as entered :-)

Also, have you tried doing some research into what the PHP world does
to prevent it? It might give a good point of reference for Java.

-ed

On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote:
> Frank W. Zammetti wrote:
> > Yeah, wouldn't help you filter on output, but I pointer that out before :)
> 
> True enough :)
> 
> > Note that it does allow you to specify your own regex, so in reality you
> > can filter for whatever you want.  I did this specifically so when
> > someone spots something I didn't think of it's easy to make it catch
> > those too.
> 
> The trouble is, I doubt it would be possible to construct a single regex
> that did a robust job -- including handling of character references (as in
> my example), differing syntax rules in embedded CSS, browser's recombining
> keywords like 'javascript' that are split over multiple lines, etc. etc...
> 
> > FYI, while I find it ironic to reference a Microsoft resource on a
> > security exploit, they actually do have a decent little page about XSS...
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;252985
> 
> The solutions it discusses, though, really don't help much when the
> requirement is to render untrusted HTML. There's a lot more detail on
> what's involved in some of the CERT advisories, for example:
> 
> http://www.cert.org/advisories/CA-2000-02.html
> http://www.cert.org/tech_tips/malicious_code_mitigation.html
> 
> L.
> 
> >
> > Frank
> >
> > Laurie Harper wrote:
> >
> >> Frank W. Zammetti wrote:
> >>
> >>> Not a problem...
> >>>
> >>> http://javawebparts.sourceforge.net/javadocs/index.html
> >>>
> >>> In the javawebparts.filter package, you should see the
> >>> CrossSiteScriptingFilter.
> >>>
> >>> This will filter any incoming parameters, and optionally attributes
> >>> (good
> >>> for if your forwarding somewhere) for a list of characters (you can
> >>> alter
> >>> what it looks for via regex).
> >>
> >>
> >>
> >> Ah, I initially skipped that package, thinking a servlet filter wasn't
> >> really what I was after. Browsing through the code, it seems I was right.
> >>
> >> For one thing, I want to filter text on output, not filter request
> >> parameters on input. But more important, your filter only checks for
> >> (and rejects) anything with a few particular characters -- all of
> >> which are valid in most cases from an XSS-prevention standpoint.
> >>
> >> For what it's worth, injecting XSS attacks through that filter is
> >> pretty easy. For example, the following wouldn't be caught:
> >>
> >>   
> >>
> >> I'm hoping I can find something that addresses all the nefarious XSS
> >> strategies out there. It's not easy to implement something that's
> >> complete, especially when you try to deal with embedded CSS in the
> >> HTML you're trying to sanitize...!
> >>
> >> Thanks for the link though :-)
> >
> >
> 
> 
> --
> Laurie, Open Source advocate, Java geek and novice blogger:
> http://www.holoweb.net/laurie
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Session-scoped ActionMessage

2005-07-18 Thread Yuniar Setiawan
Is there any way in Struts 1.1 to have session-scoped ActionMessage?


Re: Manually Instantiating Action classes

2005-07-18 Thread Ed Griebel
On 7/18/05, Frank W. Zammetti <[EMAIL PROTECTED]> wrote:
> I used to do a lot of this back when I wasn't as clear on why Actions
> shouldn't contain actual code (this started when I was using a custom
> framework my company build that had examples that didn't make it clear
> you shouldn't do this).
> 

Exactly what I've ran into as well! Most of the time I end up
refactoring almost all non-trivial logic into separate classes because
I have needed them elsewhere.

What the original poster may be able to get away with is making the
method public static in the action. It's a hack, but it will get you
running quickly. Once you get it tested and working it's easy to move
the method(s) to a helper class, espcially if you are using an IDE
that supports refactoring like Eclipse or IDEA. Don't make them static
if they depend on session or request state, as you'll shoot yourself
in the foot due to the implicit threading in the app server.

Good luck!
-ed

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Copying of properties vs. nested VO

2005-07-18 Thread netsql

Michael Jouravlev wrote:



I am not convinced that UI should be *that* different from domain
model.



+1.

Example: You make a html mock up an go to contract, then do ren *.html 
to *.jsp for prototype.

Beased on your approved prototype your most senior desigs a domain model!

Domain Model is more physical vs model model is more logical view. Ex: 
Customer has mutiple addresses in physical, but in logical it's just 
customer.


.V


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Copying of properties vs. nested VO

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Adam Hardy <[EMAIL PROTECTED]> wrote:
> Michael Jouravlev on 18/07/05 20:52, wrote:
> > I am not convinced that UI should be *that* different from domain
> > model. Do you have examples?
> 
> I'm not sure that I can conjure up something convincing (being a techie
> myself!) because you have to be fairly good at useability implementation
> to be able to evangelise about it. However here goes with an example
> from a project I worked on for a travel company (one of many examples).
> 
> We were given UI mock-ups by the business analyst and one form was for
> contact details, including 3 telephone numbers (office, fax & mobile)
> each with 2 dropdowns (international dialling code and area dialling
> code). The business analyst had worked closely with the Data Architect
> without the benefit of an application designer.
> 
> The dropdowns affected useability because each choice of international
> dialling code forced a javascript event-driven page reload to fetch the
> corresponding area code dropdown. When javascript was declared optional,
> we then had to incorporate buttons to allow the user to call up the new
> dropdown content.
> 
> We started off having Hibernate disconnected DTOs nested right there in
> the actionForm - the model was the address DTO, which had a child phone
> number, which had a parent area code and a grandparent international
> dialling code.
> 
> In terms of /both/ useability /and/ implementation, it was a joke, yet
> it had to appear in multiple places on the website.
> 
> I wanted to change it to allow the user to type in the whole number in
> one field and then to write a validation algorithm to establish the
> international and area dialling codes, and then to redisplay the 3
> fields for edit, only if the algorithm failed.
> 
> However the project was underfunded and I didn't get time :(

You call this a good UI? Man, this is horrible. I don't blame you,
because you wanted to do the right thing, combining stuff together.
The idiots who think that choosing from endless comboboxes is easier
that to type a phone or a date or address directly, should be
procecuted by prohibiting them to do UI design forever. I hate this
design. Not as a developer, but as a user. Yuck.

Anyway, even with this design nothing prevents to use actual BO in the
session-scoped form, and to have three "transient" values outside the
BO. BO does not know or care how the phone number is combined. When
request is submitted, the actual phone is built from parts somewhere
in validate() or in the Action class. Then this real phone is
validated. If it is incorrect, page is redisplayed. The downside is
that validation can detect that area code is wrong, but it cannot tell
UI layer to correlate the error message to a particular combobox. On
the other hand, the whole point of comboboxes was to prevent errors
with area codes.

With nested BO you would have detached address with real phones, and
you would have (one "transient" "local phone" field and two
comboboxes) * times three. It would still work. I guess, indexed
properties could be used. I think, it is still better than copying
properties. You have business rules right there, and there is no need
to copy most of the properties. UI that you described is still close
to domain model: location(s) and corresponding phone numbers (cell
phone belongs to a virtual location with no physical address).

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread a k
I am going with the helper classes.
Thanks to all who replied!

On 7/18/05, Frank W. Zammetti <[EMAIL PROTECTED]> wrote:
> I used to do a lot of this back when I wasn't as clear on why Actions
> shouldn't contain actual code (this started when I was using a custom
> framework my company build that had examples that didn't make it clear
> you shouldn't do this).
> 
> One Action instantiating another I think is sometimes not a bad idea
> even today... why incur the overhead of rerunning the request processing
> cycle again?
> 
> That being said, I absolutely echo what everyone else said... moving it
> to another class is the first, best solution.
> 
> Frank
> 
> a k wrote:
> > In the process of writing an Action class, I realized that it needs
> > some application functionality (not general utility kinda
> > functionality) that is already part of a method in a different Action
> > class.
> >
> > So, Action MyAction1 needs to access method myMethod2 in Action
> > MyAction2. Here are the options that I could think of:
> >
> > 1. Instantiate the MyAction2 class manually and access the myMethod2.
> > 2. Create a Helper class and move the funcationality there so that
> > both the classes could use it.
> >
> > I cannot put this in a separate parent class and extend MyAction1 and
> > MyAction2 from it because I already have another Action class that all
> > Actions extend from and I would like to adhere to it...if possible.
> >
> > What is a better way in this scenario? In particular, is it bad to
> > manually instantiate Action classes?
> >
> > Thanks!
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
> >
> 
> --
> Frank W. Zammetti
> Founder and Chief Software Architect
> Omnytex Technologies
> http://www.omnytex.com
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Name of the form

2005-07-18 Thread Glen Mazza
If you're doing "request.setAttribute("CLASS_NAME", myActionForm)" to 
store the form bean you should be able to call 
"request.getAttribute("CLASS_NAME")" to retrieve the myActionForm from 
your JSP.


However, I am not sure about the cleanest ways to access myActionForm 
from your JSP in this manner, so I will need to defer to others to 
answer this.  (If you could clarify precisely what you plan on doing 
with myActionForm within your JSP--e.g. which HTML objects you plan on 
populating with it--that may faciliate someone answering it.)


Glen


N G wrote:

I need to instantiate a form that is not associated with my particular
action and place it on the request before forwarding...

Right now I have to hardcode the name of the form as the key into the
request scope. I know that you can get the configured name of the form
that IS associated with your action by doing mapping.getAttribute().
However, how do I get the configured name of the form with just
knowing the fully qualified class name?

Is there a way to do this?

Are there any other suggestion as to how NOT to hardcode the name of the form.

Thanks,
NG

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Copying of properties vs. nested VO

2005-07-18 Thread Adam Hardy

Michael Jouravlev on 18/07/05 20:52, wrote:

On 7/18/05, Adam Hardy <[EMAIL PROTECTED]> wrote:


While the business domain is normally modelled using OO techniques, the
view or user interface should be modelled using human behaviour analysis
techniques that produce the best interface for users to get their work
done efficiently, reflecting their mental model of what is going on.


...

If you do [the business/UI shortcut] everywhere, you run the risk 
of forcing your users to learn the business domain OO model

which might be a huge leap away from their own mental model.



While I may agree that business model may differ from UI model, I
cannot agree with the idea that they *should* be different. The first
principle of OOP is that program objects reflect actual life objects.
Department, employee, order, order items, etc. These are things that
people work with, and these should be modeled by domain model.



For example, we have department and employees. Or an order and order
items. I think everyone would model it as Order-1:M-Item. What does a
user work with? Same order and order items. What does a user expect to
see? An order and items, corresponding to it.

Of course, there are reference tables/objects, there are additional
tables to ensure M:M relationship, there is a lot of plumbing behind.
But a user does not work with plubming objects, unless it is a
combobox with options.

For example, Outlook Express. We have Folders with typed items like
emails or news or forums. For each forum item there is a list of
messages. For messages there is view preferences, sort order, and
such. So, Folders and messages are definetely business objects. View
preferences... that depends, but considering that OE's data model is
specifically built for user interaction, view preferences can be
stored along with each forum/message list as business object.

I am not convinced that UI should be *that* different from domain
model. Do you have examples?


I'm not sure that I can conjure up something convincing (being a techie 
myself!) because you have to be fairly good at useability implementation 
to be able to evangelise about it. However here goes with an example 
from a project I worked on for a travel company (one of many examples).


We were given UI mock-ups by the business analyst and one form was for 
contact details, including 3 telephone numbers (office, fax & mobile) 
each with 2 dropdowns (international dialling code and area dialling 
code). The business analyst had worked closely with the Data Architect 
without the benefit of an application designer.


The dropdowns affected useability because each choice of international 
dialling code forced a javascript event-driven page reload to fetch the 
corresponding area code dropdown. When javascript was declared optional, 
we then had to incorporate buttons to allow the user to call up the new 
dropdown content.


We started off having Hibernate disconnected DTOs nested right there in 
the actionForm - the model was the address DTO, which had a child phone 
number, which had a parent area code and a grandparent international 
dialling code.


In terms of /both/ useability /and/ implementation, it was a joke, yet 
it had to appear in multiple places on the website.


I wanted to change it to allow the user to type in the whole number in 
one field and then to write a validation algorithm to establish the 
international and area dialling codes, and then to redisplay the 3 
fields for edit, only if the algorithm failed.


However the project was underfunded and I didn't get time :(





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Which version of Eclipse does current release of Struts support?

2005-07-18 Thread Dave Newton

Fei Jiangnan wrote:

I am newbie to struts, and tried current release of struts with 
Eclipse 3.1, they seems not working together, coule you please make me 
some sense from the versions between struts and eclipse?


What do you mean by "they don't work together?"

Dave



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Which version of Eclipse does current release of Struts support?

2005-07-18 Thread Fei Jiangnan

Hi there,

I am newbie to struts, and tried current release of struts with Eclipse 3.1, 
they seems not working together, coule you please make me some sense from 
the versions between struts and eclipse?


thanks in advance.

Fei



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper

Frank W. Zammetti wrote:

Yeah, wouldn't help you filter on output, but I pointer that out before :)


True enough :)

Note that it does allow you to specify your own regex, so in reality you 
can filter for whatever you want.  I did this specifically so when 
someone spots something I didn't think of it's easy to make it catch 
those too.


The trouble is, I doubt it would be possible to construct a single regex 
that did a robust job -- including handling of character references (as in 
my example), differing syntax rules in embedded CSS, browser's recombining 
keywords like 'javascript' that are split over multiple lines, etc. etc...


FYI, while I find it ironic to reference a Microsoft resource on a 
security exploit, they actually do have a decent little page about XSS...


http://support.microsoft.com/default.aspx?scid=kb;en-us;252985


The solutions it discusses, though, really don't help much when the 
requirement is to render untrusted HTML. There's a lot more detail on 
what's involved in some of the CERT advisories, for example:


http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html

L.



Frank

Laurie Harper wrote:


Frank W. Zammetti wrote:


Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes 
(good
for if your forwarding somewhere) for a list of characters (you can 
alter

what it looks for via regex).




Ah, I initially skipped that package, thinking a servlet filter wasn't 
really what I was after. Browsing through the code, it seems I was right.


For one thing, I want to filter text on output, not filter request 
parameters on input. But more important, your filter only checks for 
(and rejects) anything with a few particular characters -- all of 
which are valid in most cases from an XSS-prevention standpoint.


For what it's worth, injecting XSS attacks through that filter is 
pretty easy. For example, the following wouldn't be caught:


  


I'm hoping I can find something that addresses all the nefarious XSS 
strategies out there. It's not easy to implement something that's 
complete, especially when you try to deal with embedded CSS in the 
HTML you're trying to sanitize...!


Thanks for the link though :-)






--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper

Craig McClanahan wrote:

While the code in question here might not help you, the concept of a
Filter still can.  You can use Filters to monitor (and potentially
modify) the output stream by providing a wrapper around the
HttpServletResponse that the container hands you, with custom
implementations of getOutputStream() and getWriter() that send their
output to a buffer instead of directly back to the client.  Then, when
the client returns, you can postprocess the buffer and weed out
anything you think is dangerous.

I think there's a sample filter to do GZIP compression in the Tomcat
releases, which you could use as a model of the overall architecture.


Yeah, I grok servlet filters OK ;-) The issue is that filtering the entire 
response is generally not too helpful for this: it'd disable all the 
dynamic functionality in the application that's *meant* to be there...!


What I need is to allow users to enter HTML markup through a text field for 
subsequent display as part of a page (think, for example, of a wiki or CMS 
solution). Only the untrusted data should be filtered, and the submitted 
HTML must render correctly after potential XSS insertion has been dealt with.


Cheers,

L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Rick Reumann

Mike Elliott wrote the following on 7/18/2005 3:18 PM:


I came up with another solution which might be worthy of
consideration.  Instead of using arrays, extend a list with the
desired get( int ) method and use that list instead:

 public class SkillActionForm extends ActionForm {

  protected List skills = new LazyArrayList();

  public class LazyArrayList extends ArrayList {
 public Object get( int index ) {
while (size() <= index) add( new SkillBean()  );
return super.get( index );
 }
  }
  }

This is the solution I eventually adopted (successfully) but I have a
fondness for nested classes which others may not share.


I'm pretty sure what LazyList is doing similar stuff in the background, 
so I'm curious why you don't just use that?


http://wiki.apache.org/struts/StrutsCatalogLazyList

--
Rick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Andrew Tomaka
I've stumbled across a similar problem that I'm trying to find the
Struts solution for.

I have a form which allows users to add a dynamic amount of rows (via
a button that says "Add Row") and then submit the form with as little
or many rows as they wish.  Can a form bean be setup using collections
instead of other object types?  What is the proper way to handle a
dynamic amount of the same data coming in to a Action?

~ Andrew Tomaka

On 7/18/05, Rick Reumann <[EMAIL PROTECTED]> wrote:
> Mike Elliott wrote the following on 7/18/2005 10:55 AM:
> 
> > I've been beating my head against this all weekend to no avail.  I
> > understand how to do this in session scope, but don't know if it's
> > even possible in request scope.
> >
> > As I understand things (which may be wrong), when the form is
> > submitted (in request scope) a new form bean is created and populated
> > with the values in the collection from the HTML form.  But, of course,
> > a newly created form won't know how many elements are in the form so
> > it can't pre-populate the collection with beans to be filled in.
> > Right?
> 
> I'm still not totally clear where the problem is, since I'm not sure
> what Session has to do with the initial setup of the form. It might help
> if you let us know what the exact problem is when using request scope...
> 
> 1) A problem when you submit the form and getting 'index' problems
> showing up in the logs?
> 
> 2) Is it making sure the nested structure is still there when validation
> fails?
> 
> I'm confused because you mention "But, of course, a newly created form
> won't know how many elements are in the form so it can't pre-populate
> the collection with beans to be filled in." This statement confused me
> because you seem to be implying it works when it's in Session which
> doesn't make sense since even with a Session scoped form you still need
> to some initial population somewhere.
> 
> Typically I feel you should always go to some sort of "setUp" action or
> dispatch method BEFORE you ever forward to a form. Initially you can
> often skip this step but later on there will be something you want to
> 'do' before you get to the form anyway so I find it good practice to go
> to a 'set up' first.
> 
> For the two problems listed above the link Naill posted is good
> http://wiki.apache.org/struts/StrutsCatalogLazyList (and I just recently
> added to that link the way I like to do it).
> 
> Let us know if you can't get it to work. I have to use Nested stuff all
> the time, so I'll be able to help.
> 
> --
> Rick
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Frank W. Zammetti
I have one as part of Java Web Parts
(http://javawebparts.sourceforge.net).  Let me know if it suits your needs
(and if not, let me know the shortcomings so I can expand it!)

--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

On Mon, July 18, 2005 2:28 pm, Laurie Harper said:
> Does anyone know of a good, complete implementation of a cross-site
> scripting filter for pre-processing user entered text that needs to be
> rendered as HTML? Obviously  / ${fn:escapeXml()} / etc. aren't the
> right solution ;-) but there's nothing in standard JSTL or Struts (that I
> know of) that is.
>
> Any pointers appreciated!
>
> L.
> --
> Laurie, Open Source advocate, Java geek and novice blogger:
> http://www.holoweb.net/laurie
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Mike Elliott
On 7/18/05, Rick Reumann <[EMAIL PROTECTED]> wrote:

> I'm still not totally clear where the problem is, since I'm not sure
> what Session has to do with the initial setup of the form.

The difference is unobvious, I admit, but this is what I was thinking
of:  If I use a session bean, I can do some sort of setup (from an
Action) on its initial creation, including creating the list of
contained objects.  That can't happen if it's in request scope because
there is no chance to invoke the setup before the bean is populated
from the request.

> 1) A problem when you submit the form and getting 'index' problems
> showing up in the logs?

More than showing up, the submit was trying to populate the bean with
indexed properties but the list containing the indexed properties was
of size zero.  The
answer to the problem was given by the previous posters.  Thanks guys.  

What made the difference was the Wiki page section (BeanUtils Indexed
Properties Issue) pointing out that there is a bug in JDK 1.4 which
prevents the solution of writing your own getXXX( int ndx ) property. 
I had done that (in desperation) and when that didn't work either, I
threw up my hands and wrote the list.  I felt that it _should_ have
worked and when it didn't I just assumed my understanding of the
situation was inadequate and gave up.  I'm delighted to find out that
the problem is in the implementation and not in my mental picture of
how this whole thing works.
 
> I'm confused because you mention "But, of course, a newly created form
> won't know how many elements are in the form so it can't pre-populate
> the collection with beans to be filled in." This statement confused me
> because you seem to be implying it works when it's in Session which
> doesn't make sense since even with a Session scoped form you still need
> to some initial population somewhere.

But you can do that once, before all this other stuff takes place.  I
realize that wasn't an obvious inference but that's what I meant.

> Typically I feel you should always go to some sort of "setUp" action or
> dispatch method BEFORE you ever forward to a form.

But doesn't that go away in request scope when the form is submitted
back to the Action?  Doesn't a new form get created and populated from
the HTML?  It sure looks like that's what's happening to me.

> For the two problems listed above the link Naill posted is good
> http://wiki.apache.org/struts/StrutsCatalogLazyList (and I just recently
> added to that link the way I like to do it).

I came up with another solution which might be worthy of
consideration.  Instead of using arrays, extend a list with the
desired get( int ) method and use that list instead:

 public class SkillActionForm extends ActionForm {

  protected List skills = new LazyArrayList();

  public class LazyArrayList extends ArrayList {
 public Object get( int index ) {
while (size() <= index) add( new SkillBean()  );
return super.get( index );
 }
  }
  }

This is the solution I eventually adopted (successfully) but I have a
fondness for nested classes which others may not share.

Anyway, thanks to all, I've gotten past the problem with an increased
understanding of the intricacies of this here Struts stuff.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Rick Reumann

Andrew Tomaka wrote the following on 7/18/2005 2:13 PM:


I have a form which allows users to add a dynamic amount of rows (via
a button that says "Add Row") and then submit the form with as little
or many rows as they wish.  Can a form bean be setup using collections
instead of other object types?  What is the proper way to handle a
dynamic amount of the same data coming in to a Action?


I think to set this up where the user can add as many as they wish 
you'll have to do some DHTML stuff where you will be writing out the new 
elements using javascript. You'll probably have to keep track of what's 
in the currentDiv and append to it when they click "add new"


You'll need a counter of the 'currentIndex' and you'll end up writing 
javascript to write to a div that will make the elements like...


write( currentDivContents + "propety='yourList["+curIndex+"].firstName'/>");


Of course make sure for your "yourList" that you use an approach like

http://wiki.apache.org/struts/StrutsCatalogLazyList

An easier approach might be to only allow them to enter a fixed amount 
at a time, say five or so. After they submit they could enter more. This 
would cut down on the amount of javascript.


And yes in either scenario you set up your ActionForm to use a property 
of type List that would hold your Collection of beans.


--
Rick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread Frank W. Zammetti
I used to do a lot of this back when I wasn't as clear on why Actions 
shouldn't contain actual code (this started when I was using a custom 
framework my company build that had examples that didn't make it clear 
you shouldn't do this).


One Action instantiating another I think is sometimes not a bad idea 
even today... why incur the overhead of rerunning the request processing 
cycle again?


That being said, I absolutely echo what everyone else said... moving it 
to another class is the first, best solution.


Frank

a k wrote:

In the process of writing an Action class, I realized that it needs
some application functionality (not general utility kinda
functionality) that is already part of a method in a different Action
class.

So, Action MyAction1 needs to access method myMethod2 in Action
MyAction2. Here are the options that I could think of:

1. Instantiate the MyAction2 class manually and access the myMethod2.
2. Create a Helper class and move the funcationality there so that
both the classes could use it.

I cannot put this in a separate parent class and extend MyAction1 and
MyAction2 from it because I already have another Action class that all
Actions extend from and I would like to adhere to it...if possible.

What is a better way in this scenario? In particular, is it bad to
manually instantiate Action classes?

Thanks!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Copying of properties vs. nested VO

2005-07-18 Thread Michael Jouravlev
Anyone in the mood to kick the dead horse again? I decided to compare
two approaches to use/update data from Struts. I am obviously biased
towards nested VO/BO, so maybe I left something out.

[I] Property copying

This one seems to be the default and "officially endorsed" Struts practice.

1) Create/Load data.
Workflow:
* To use existing data it is loaded from database into BO/VO, then
BO/VO properties are copied to action form.
* To create new data nothing special is performed, action form is just
cleaned if it has session scope.

Notes:
* BO/VO usually has strongly typed properties.
* Validation is usually performed in the action form.
* Intermediate data is flying around action form/request/response.
* Because of double data copying (from database to BO/VO, then from
BO/VO to action form) it is tempting to avoid BO/VO altogether or to
make it as dumb as possible. Thus, this approach usually uses
struct-type VO instead of behavioral BO.

2) Modify data

Current data is kept in the action form, usually having request scope.

Notes:
* Request-scoped action forms do not allow to use two-phase request processing

3) Store data

Workflow:
* Data is validated in the action form first, then copied to BO/VO
* BO/VO validates business rules
* BO/VO is stored in the database

Notes:
* Business rules are validated after data is copied from action form
to BO/VO; inefficient.
* In this approach BO/VO is usually treated like a persistent object
(EJB-style), that is modifications to BO/VO are immediately reflected
in database.


[II] Using nested BO/VO

1) Create/Load data.
Workflow:
* To use existing data it is loaded from database into BO/VO; this
BO/VO is detached from database, that is all changes to it do not
affect persistent data.
* To enter new data a new instance of BO/VO is created; it is detached
as well. ID/PK can be generated on this stage or is created on "store"
stage.
* BO/VO is kept in the session, or stored as nested object in the
action form, which has session scope.

Notes:
* BO/VO usually has string properties or double-type properties:
string/strong. Another choice is to define action form's setters as
string, and to set BO data from within them.
* Validation is performed partly by the BO/VO, and partly by the action form.
* Intermediate data is kept in the BO/VO; transient data is kept in
the action form.
* This approach better supports OO model; enforces usage of a real BO
with behavioral methods.

2) Modify data

Current data is kept in the BO nested in the action form; action form
has session scope. HTML form can either use/set nested properties
directly, or use action form's setters/getters, which convert data and
set it in the nested BO.

3) Store data

Workflow:
* Transient data is validated by the action form.
* Business data is validated by nested BO
* BO/VO is stored in the database

Two major questions is where to perform validation and type
conversion. One opinion is to perform validation and type conversion
in an action form, and to have strongly typed VOs. Another is to have
string- or string/strong properties for BO, which may provide better
flexibility for different web frameworks and clients (for web service,
WML, VoiceXML, non-Struts - most rules are in one place despite of
different UI).

Transient property may be stored in the BO to have all validation rules in BO.

Did I miss something or got something wrong?

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: submit form

2005-07-18 Thread Glen Mazza
Still, mnemonics are non-standard for web applications, no?  This 
doesn't seem right.


Glen

Niall Pemberton escribió:

The short and not v.helpful response is you can't submit  - its
just a JSP tag that renders a HTML  element and has nothing to do with
the submit process.

Some of the Struts tags have the "accesskey" attribute which defines a key
that can be used with the accelerator key (usually ALT) to invoke a form
control. So if you use the struts submit tag you could do something like...

  

Niall

- Original Message - 
From: "Sergey Livanov" <[EMAIL PROTECTED]>

Sent: Monday, July 18, 2005 8:36 PM




How can I submit html:form by pressing CTRL+S ?





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Rick Reumann

Michael Jouravlev wrote the following on 7/18/2005 3:59 PM:


ActionForm.reset() for session-scoped forms, ActionForm.ActionForm()
for request-scoped forms. I do not remeber, if reset() is called for
request-scoped forms.


Yes, reset is always called when the form submits. I know I mentioned in 
this in another post but I would disagree with repopulating your beans 
in the reset() UNLESS... you did adopt the whole ball of wax the way you 
have designed your stuff Michael. In other words if you go with your 
approach of the form beans doing other stuff than holding user input, 
than you can go ahead and mess with the reset doing that kind of stuff, 
but if Mike is sticking to 'typical' Struts than I wouldn't recommend 
repopulating in the reset.



Why would you want to use request scope anyway? I use session scope
and I am pretty happy.


Well I could see for large forms with nested data it might not be a 
great idea to keep these around in the Session. I 'try' to stick to 
using the Request when I can but I don't bend over backwards like 
some do on this list to avoid the Session.. I'm in "The Session is  your 
friend" camp:). Request will work fine however for Mike's situation. He 
just needs to wrap his collection in his ActionForm around a LazyList 
(or he can use a regular list and do the handcranking approach of 
incrementing the size when needed in the getList property in his form. 
LazyList is cleaner, though).



--
Rick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Frank W. Zammetti
And if you can't find that compression filter in Tomcat, JWP has one too 
:)  Does GZip and Deflate actualy :)


Frank

Craig McClanahan wrote:

On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote:


Frank W. Zammetti wrote:



Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes (good
for if your forwarding somewhere) for a list of characters (you can alter
what it looks for via regex).


Ah, I initially skipped that package, thinking a servlet filter wasn't
really what I was after. Browsing through the code, it seems I was right.




While the code in question here might not help you, the concept of a
Filter still can.  You can use Filters to monitor (and potentially
modify) the output stream by providing a wrapper around the
HttpServletResponse that the container hands you, with custom
implementations of getOutputStream() and getWriter() that send their
output to a buffer instead of directly back to the client.  Then, when
the client returns, you can postprocess the buffer and weed out
anything you think is dangerous.

I think there's a sample filter to do GZIP compression in the Tomcat
releases, which you could use as a model of the overall architecture.

Crag

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Frank W. Zammetti

Yeah, wouldn't help you filter on output, but I pointer that out before :)

Note that it does allow you to specify your own regex, so in reality you 
can filter for whatever you want.  I did this specifically so when 
someone spots something I didn't think of it's easy to make it catch 
those too.


FYI, while I find it ironic to reference a Microsoft resource on a 
security exploit, they actually do have a decent little page about XSS...


http://support.microsoft.com/default.aspx?scid=kb;en-us;252985

Frank

Laurie Harper wrote:

Frank W. Zammetti wrote:


Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes (good
for if your forwarding somewhere) for a list of characters (you can alter
what it looks for via regex).



Ah, I initially skipped that package, thinking a servlet filter wasn't 
really what I was after. Browsing through the code, it seems I was right.


For one thing, I want to filter text on output, not filter request 
parameters on input. But more important, your filter only checks for 
(and rejects) anything with a few particular characters -- all of which 
are valid in most cases from an XSS-prevention standpoint.


For what it's worth, injecting XSS attacks through that filter is pretty 
easy. For example, the following wouldn't be caught:


  

I'm hoping I can find something that addresses all the nefarious XSS 
strategies out there. It's not easy to implement something that's 
complete, especially when you try to deal with embedded CSS in the HTML 
you're trying to sanitize...!


Thanks for the link though :-)


--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[OT] Re: Copying of properties vs. nested VO

2005-07-18 Thread Dave Newton

Adam Hardy wrote:


Not all users can think like geeks!


And the (probably more important!) corollary: Most geeks can't think 
like users.


Dave



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Craig McClanahan
On 7/18/05, Laurie Harper <[EMAIL PROTECTED]> wrote:
> Frank W. Zammetti wrote:
> 
> > Not a problem...
> >
> > http://javawebparts.sourceforge.net/javadocs/index.html
> >
> > In the javawebparts.filter package, you should see the
> > CrossSiteScriptingFilter.
> >
> > This will filter any incoming parameters, and optionally attributes (good
> > for if your forwarding somewhere) for a list of characters (you can alter
> > what it looks for via regex).
> 
> Ah, I initially skipped that package, thinking a servlet filter wasn't
> really what I was after. Browsing through the code, it seems I was right.
> 

While the code in question here might not help you, the concept of a
Filter still can.  You can use Filters to monitor (and potentially
modify) the output stream by providing a wrapper around the
HttpServletResponse that the container hands you, with custom
implementations of getOutputStream() and getWriter() that send their
output to a buffer instead of directly back to the client.  Then, when
the client returns, you can postprocess the buffer and weed out
anything you think is dangerous.

I think there's a sample filter to do GZIP compression in the Tomcat
releases, which you could use as a model of the overall architecture.

Crag

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Mike Elliott <[EMAIL PROTECTED]> wrote:
> If I use a session bean, I can do some sort of setup (from an
> Action) on its initial creation, including creating the list of
> contained objects.  That can't happen if it's in request scope because
> there is no chance to invoke the setup before the bean is populated
> from the request.

ActionForm.reset() for session-scoped forms, ActionForm.ActionForm()
for request-scoped forms. I do not remeber, if reset() is called for
request-scoped forms.

Why would you want to use request scope anyway? I use session scope
and I am pretty happy.

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



AW: Manually Instantiating Action classes

2005-07-18 Thread Leon Rosenberg
 

> -Ursprüngliche Nachricht-
> Von: Michael Jouravlev [mailto:[EMAIL PROTECTED] 
> Gesendet: Montag, 18. Juli 2005 23:36
> An: Struts Users Mailing List
> Betreff: Re: Manually Instantiating Action classes
> 
> On 7/18/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
> > First choice action hierarchy
> > Second choice helper classes
> > Or maybe a good combination of both :-)
> 
> Chaining? ;-)


Sure, why not, but I think this is an implementation detail;
first he has to decide which way to go, then, how to get there :-)

Regards
Leon



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



AW: Manually Instantiating Action classes

2005-07-18 Thread Leon Rosenberg
 

> -Ursprüngliche Nachricht-
> Von: Michael Jouravlev [mailto:[EMAIL PROTECTED] 
> Gesendet: Montag, 18. Juli 2005 23:36
> An: Struts Users Mailing List
> Betreff: Re: Manually Instantiating Action classes
> 
> On 7/18/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
> > First choice action hierarchy
> > Second choice helper classes
> > Or maybe a good combination of both :-)
> 
> Chaining? ;-)


Sure, why not, but I think this is an implementation detail;
first he has to decide which way to go, then, how to get there :-)

Regards
Leon



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Copying of properties vs. nested VO

2005-07-18 Thread Adam Hardy
Having a VO/BO with string- & strong-property getters and setters is 
IMHO a short cut through the UI / business domain interface.


While the business domain is normally modelled using OO techniques, the 
view or user interface should be modelled using human behaviour analysis 
techniques that produce the best interface for users to get their work 
done efficiently, reflecting their mental model of what is going on. If 
you want a good app, you really should do some decent user interface 
design work on it.


There would be an interface where business domain VOs / BOs are mapped 
onto user interface VOs via code.


Your short-cut can cut through this, but if you do it everywhere, you 
run the risk of forcing your users to learn the business domain OO model 
which might be a huge leap away from their own mental model. That would 
lead to an inefficient user interface where the users take much longer 
to get up to speed, if they manage it at all. Not all users can think 
like geeks!


Adam



Michael Jouravlev on 18/07/05 19:02, wrote:

Anyone in the mood to kick the dead horse again? I decided to compare
two approaches to use/update data from Struts. I am obviously biased
towards nested VO/BO, so maybe I left something out.

[I] Property copying

This one seems to be the default and "officially endorsed" Struts practice.

1) Create/Load data.
Workflow:
* To use existing data it is loaded from database into BO/VO, then
BO/VO properties are copied to action form.
* To create new data nothing special is performed, action form is just
cleaned if it has session scope.

Notes:
* BO/VO usually has strongly typed properties.
* Validation is usually performed in the action form.
* Intermediate data is flying around action form/request/response.
* Because of double data copying (from database to BO/VO, then from
BO/VO to action form) it is tempting to avoid BO/VO altogether or to
make it as dumb as possible. Thus, this approach usually uses
struct-type VO instead of behavioral BO.

2) Modify data

Current data is kept in the action form, usually having request scope.

Notes:
* Request-scoped action forms do not allow to use two-phase request processing

3) Store data

Workflow:
* Data is validated in the action form first, then copied to BO/VO
* BO/VO validates business rules
* BO/VO is stored in the database

Notes:
* Business rules are validated after data is copied from action form
to BO/VO; inefficient.
* In this approach BO/VO is usually treated like a persistent object
(EJB-style), that is modifications to BO/VO are immediately reflected
in database.


[II] Using nested BO/VO

1) Create/Load data.
Workflow:
* To use existing data it is loaded from database into BO/VO; this
BO/VO is detached from database, that is all changes to it do not
affect persistent data.
* To enter new data a new instance of BO/VO is created; it is detached
as well. ID/PK can be generated on this stage or is created on "store"
stage.
* BO/VO is kept in the session, or stored as nested object in the
action form, which has session scope.

Notes:
* BO/VO usually has string properties or double-type properties:
string/strong. Another choice is to define action form's setters as
string, and to set BO data from within them.
* Validation is performed partly by the BO/VO, and partly by the action form.
* Intermediate data is kept in the BO/VO; transient data is kept in
the action form.
* This approach better supports OO model; enforces usage of a real BO
with behavioral methods.

2) Modify data

Current data is kept in the BO nested in the action form; action form
has session scope. HTML form can either use/set nested properties
directly, or use action form's setters/getters, which convert data and
set it in the nested BO.

3) Store data

Workflow:
* Transient data is validated by the action form.
* Business data is validated by nested BO
* BO/VO is stored in the database

Two major questions is where to perform validation and type
conversion. One opinion is to perform validation and type conversion
in an action form, and to have strongly typed VOs. Another is to have
string- or string/strong properties for BO, which may provide better
flexibility for different web frameworks and clients (for web service,
WML, VoiceXML, non-Struts - most rules are in one place despite of
different UI).

Transient property may be stored in the BO to have all validation rules in BO.

Did I miss something or got something wrong?

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Frank W. Zammetti
Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes (good
for if your forwarding somewhere) for a list of characters (you can alter
what it looks for via regex).

-- 
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

On Mon, July 18, 2005 3:44 pm, Laurie Harper said:
> Thanks; I had a quick hunt through the Javadocs but couldn't see anything
> relevant. Can you give me a push in the right direction? ;-)
>
> L.
>
> Frank W. Zammetti wrote:
>
>> I have one as part of Java Web Parts
>> (http://javawebparts.sourceforge.net).  Let me know if it suits your
>> needs
>> (and if not, let me know the shortcomings so I can expand it!)
>>
>> --
>> Frank W. Zammetti
>> Founder and Chief Software Architect
>> Omnytex Technologies
>> http://www.omnytex.com
>>
>> On Mon, July 18, 2005 2:28 pm, Laurie Harper said:
>>
>>>Does anyone know of a good, complete implementation of a cross-site
>>>scripting filter for pre-processing user entered text that needs to be
>>>rendered as HTML? Obviously  / ${fn:escapeXml()} / etc. aren't
>>> the
>>>right solution ;-) but there's nothing in standard JSTL or Struts (that
>>> I
>>>know of) that is.
>>>
>>>Any pointers appreciated!
>>>
>>>L.
>>>--
>>>Laurie, Open Source advocate, Java geek and novice blogger:
>>>http://www.holoweb.net/laurie
>>>
>>>
>>>-
>>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>
>
> --
> Laurie, Open Source advocate, Java geek and novice blogger:
> http://www.holoweb.net/laurie
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Rick Reumann

Mike Elliott wrote the following on 7/18/2005 10:55 AM:


I've been beating my head against this all weekend to no avail.  I
understand how to do this in session scope, but don't know if it's
even possible in request scope.

As I understand things (which may be wrong), when the form is
submitted (in request scope) a new form bean is created and populated
with the values in the collection from the HTML form.  But, of course,
a newly created form won't know how many elements are in the form so
it can't pre-populate the collection with beans to be filled in. 
Right?


I'm still not totally clear where the problem is, since I'm not sure 
what Session has to do with the initial setup of the form. It might help 
if you let us know what the exact problem is when using request scope...


1) A problem when you submit the form and getting 'index' problems 
showing up in the logs?


2) Is it making sure the nested structure is still there when validation 
fails?


I'm confused because you mention "But, of course, a newly created form 
won't know how many elements are in the form so it can't pre-populate 
the collection with beans to be filled in." This statement confused me 
because you seem to be implying it works when it's in Session which 
doesn't make sense since even with a Session scoped form you still need 
to some initial population somewhere.


Typically I feel you should always go to some sort of "setUp" action or 
dispatch method BEFORE you ever forward to a form. Initially you can 
often skip this step but later on there will be something you want to 
'do' before you get to the form anyway so I find it good practice to go 
to a 'set up' first.


For the two problems listed above the link Naill posted is good 
http://wiki.apache.org/struts/StrutsCatalogLazyList (and I just recently 
added to that link the way I like to do it).


Let us know if you can't get it to work. I have to use Nested stuff all 
the time, so I'll be able to help.


--
Rick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Copying of properties vs. nested VO

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Adam Hardy <[EMAIL PROTECTED]> wrote:
> While the business domain is normally modelled using OO techniques, the
> view or user interface should be modelled using human behaviour analysis
> techniques that produce the best interface for users to get their work
> done efficiently, reflecting their mental model of what is going on.
...
> If you do [the business/UI shortcut] everywhere, you run the risk 
> of forcing your users to learn the business domain OO model
> which might be a huge leap away from their own mental model.

While I may agree that business model may differ from UI model, I
cannot agree with the idea that they *should* be different. The first
principle of OOP is that program objects reflect actual life objects.
Department, employee, order, order items, etc. These are things that
people work with, and these should be modeled by domain model.

For example, we have department and employees. Or an order and order
items. I think everyone would model it as Order-1:M-Item. What does a
user work with? Same order and order items. What does a user expect to
see? An order and items, corresponding to it.

Of course, there are reference tables/objects, there are additional
tables to ensure M:M relationship, there is a lot of plumbing behind.
But a user does not work with plubming objects, unless it is a
combobox with options.

For example, Outlook Express. We have Folders with typed items like
emails or news or forums. For each forum item there is a list of
messages. For messages there is view preferences, sort order, and
such. So, Folders and messages are definetely business objects. View
preferences... that depends, but considering that OE's data model is
specifically built for user interaction, view preferences can be
stored along with each forum/message list as business object.

I am not convinced that UI should be *that* different from domain
model. Do you have examples?

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Cancel and Populating...

2005-07-18 Thread Mariano Petrakovsky

  I have a Cancel Button in my page... when it's submit, populating error
occurs...
  In jsf, it's solutionated by the immediante attribute to false. How is in
struts?...

  (When Cancel, i want forward to another page... nothing more :) )

--
Mariano G. Petrakovsky
Programmer · Software Factory
AXG Tecnonexo -  www.tecnonexo.com

Development facilities:Av. Maipú 1252 8º (C1006ACT) · Buenos Aires ·
Argentina.
Tel.: (54-11) 4878-0005 - Fax: (54-11) 4878-0065.

Headquarters: 1604 Spring Hill Road, Suite 160 Vienna · VA 22182 · USA.
Tel.: (202) 986-7541 - Fax: (202) 787-3891.


· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
· · · ·




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Mike Elliott <[EMAIL PROTECTED]> wrote:
> > Well I could see for large forms with nested data it might not be a
> > great idea to keep these around in the Session. I 'try' to stick to
> > using the Request when I can but I don't bend over backwards like
> > some do on this list to avoid the Session.. I'm in "The Session is  your
> > friend" camp:). Request will work fine however for Mike's situation. He
> > just needs to wrap his collection in his ActionForm around a LazyList
> > (or he can use a regular list and do the handcranking approach of
> > incrementing the size when needed in the getList property in his form.
> > LazyList is cleaner, though).
> 
> Request is required for my situation -- the user can have multiple
> versions of the same page active in the same session.  That's what
> drove me away from the 'working' session scope bean -- I had users who
> were messing up the session scoped bean by opening the same page
> multiple times and making modifications.

Wicket has versioning for situations like this. I am thinking, does it
make sense to create versioned action forms for Struts?

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: How do you create a Validator rule to compare 3 fields

2005-07-18 Thread Laurie Harper

Harland, David wrote:

I have three checkboxes that can all either be unchecked or only one can
be checked.

How do I create a Validator rule for this. I don't think it is possible
to do this neatly as I think you will always get more than one of the
same error message. Can someone please tell me if I am right.


You may be able to do what you want with validwhen, though it might get a 
bit hairy. If only one checkbox should be selected, maybe you could use 
radio buttons instead? Failing that, you may need to plug in your own 
custom validator (see [1] for details).



[1] http://struts.apache.org/userGuide/dev_validator.html


Thanks

Dave.

This e mail is from DLA Piper Rudnick Gray Cary UK LLP.
[... ad nauseum]


Sigh.

L.

--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
> First choice action hierarchy
> Second choice helper classes
> Or maybe a good combination of both :-)

Chaining? ;-)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Mike Elliott
> Well I could see for large forms with nested data it might not be a
> great idea to keep these around in the Session. I 'try' to stick to
> using the Request when I can but I don't bend over backwards like
> some do on this list to avoid the Session.. I'm in "The Session is  your
> friend" camp:). Request will work fine however for Mike's situation. He
> just needs to wrap his collection in his ActionForm around a LazyList
> (or he can use a regular list and do the handcranking approach of
> incrementing the size when needed in the getList property in his form.
> LazyList is cleaner, though).

Request is required for my situation -- the user can have multiple
versions of the same page active in the same session.  That's what
drove me away from the 'working' session scope bean -- I had users who
were messing up the session scoped bean by opening the same page
multiple times and making modifications.

I don't see LazyList as any cleaner.  You have to add one method in
either case.  With LazyList you have to implement Factory then add the
create() method.  Extending ArrayList you have to implement a new
get().  I'll stick with the latter.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Name of the form

2005-07-18 Thread N G
I need to instantiate a form that is not associated with my particular
action and place it on the request before forwarding...

Right now I have to hardcode the name of the form as the key into the
request scope. I know that you can get the configured name of the form
that IS associated with your action by doing mapping.getAttribute().
However, how do I get the configured name of the form with just
knowing the fully qualified class name?

Is there a way to do this?

Are there any other suggestion as to how NOT to hardcode the name of the form.

Thanks,
NG

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper
Thanks; I had a quick hunt through the Javadocs but couldn't see anything 
relevant. Can you give me a push in the right direction? ;-)


L.

Frank W. Zammetti wrote:


I have one as part of Java Web Parts
(http://javawebparts.sourceforge.net).  Let me know if it suits your needs
(and if not, let me know the shortcomings so I can expand it!)

--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com

On Mon, July 18, 2005 2:28 pm, Laurie Harper said:


Does anyone know of a good, complete implementation of a cross-site
scripting filter for pre-processing user entered text that needs to be
rendered as HTML? Obviously  / ${fn:escapeXml()} / etc. aren't the
right solution ;-) but there's nothing in standard JSTL or Struts (that I
know of) that is.

Any pointers appreciated!

L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



submit form

2005-07-18 Thread Sergey Livanov

How can I submit html:form by pressing CTRL+S ?


-- 
regards,
 Sergey  mailto:[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: submit form

2005-07-18 Thread Martin Gainty

Sergey try
"javascript:testKeyCode(evt)" onclick = "javascript:testKeyCode(evt)" />




Re: submit form

2005-07-18 Thread Niall Pemberton
The short and not v.helpful response is you can't submit  - its
just a JSP tag that renders a HTML  element and has nothing to do with
the submit process.

Some of the Struts tags have the "accesskey" attribute which defines a key
that can be used with the accelerator key (usually ALT) to invoke a form
control. So if you use the struts submit tag you could do something like...

  

Niall

- Original Message - 
From: "Sergey Livanov" <[EMAIL PROTECTED]>
Sent: Monday, July 18, 2005 8:36 PM


> How can I submit html:form by pressing CTRL+S ?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Manually Instantiating Action classes

2005-07-18 Thread a k
In the process of writing an Action class, I realized that it needs
some application functionality (not general utility kinda
functionality) that is already part of a method in a different Action
class.

So, Action MyAction1 needs to access method myMethod2 in Action
MyAction2. Here are the options that I could think of:

1. Instantiate the MyAction2 class manually and access the myMethod2.
2. Create a Helper class and move the funcationality there so that
both the classes could use it.

I cannot put this in a separate parent class and extend MyAction1 and
MyAction2 from it because I already have another Action class that all
Actions extend from and I would like to adhere to it...if possible.

What is a better way in this scenario? In particular, is it bad to
manually instantiate Action classes?

Thanks!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Michael Jouravlev
On 7/18/05, Rick Reumann <[EMAIL PROTECTED]> wrote:
> Michael Jouravlev wrote the following on 7/18/2005 3:59 PM:
> 
> > ActionForm.reset() for session-scoped forms, ActionForm.ActionForm()
> > for request-scoped forms. I do not remeber, if reset() is called for
> > request-scoped forms.
> 
> Yes, reset is always called when the form submits. I know I mentioned in
> this in another post but I would disagree with repopulating your beans
> in the reset() UNLESS... you did adopt the whole ball of wax the way you
> have designed your stuff Michael. In other words if you go with your
> approach of the form beans doing other stuff than holding user input,
> than you can go ahead and mess with the reset doing that kind of stuff,
> but if Mike is sticking to 'typical' Struts than I wouldn't recommend
> repopulating in the reset.

'Typical' is not always better. I am finishing rewriting Mail Reader
using my approach, and it looks much cleaner, at least to me ;) and is
more robust. I understand that having session objects opens a whole
can of worms related to garbage-collecting of abandoned objects, and
Struts does not have this facility. I saw a project which does just
that, but cannot find it now ;(

Michael.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [FRIDAY] What technology do you use for authentication and authorization?

2005-07-18 Thread Rick Reumann

Craig McClanahan wrote the following on 7/16/2005 1:03 AM:


For maximum positive benefit to the world, please cc your responses
both here


Asked someone on our team (not on the Struts list) who handles the 
authentication stuff for our applications and he came up with:


-
Here's my Servlet API wishlist for authentication:

* Standard support for custom authenticators:  To integrate with
SiteMinder, currently we use Tomcat's custom authenticator support which
is a bit of a "hack" (applying the nicest possible term).

* Standard way of accessing permission groups beyond "Roles":  We have a
custom JAAS login module to load account and access information from
various sources.  Currently to access data beyond the "Roles" group we
have to make a separate call after the user logs in because there is no
standard way of accessing other permission groups.

* +1 on self-registration and "remember me"


Beyond authentication:
* Async NIO support
* Standard FTPServlet
* Apache-style rewrite rules
--


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread Dave Newton

a k wrote:


What is a better way in this scenario? In particular, is it bad to
manually instantiate Action classes?
 

I don't know if it's "bad" per se, but if it's shared functionality then 
from an architectural standpoint I would think it'd better to move it 
into a helper class.


Dave



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread Leon Rosenberg
Agreed with dave, 
But maybe another point, 
You said you already have a class all actions extend, right?

Is it said somewhere that the actions can extend one class only? I mean, if
it's needed by the architecture, you can create a whole action hierarchy...
And if you'd need multiple inheritance - use delegates :-)

As to you another option, I know different people on this list like to
instantiate actions directly, but as for me, 
it's forbidden in my team, because it brings a lot of problems with
ressource sharing if you count to instantiate an action once, and do it
multiple times.

So in my opinion:
First choice action hierarchy
Second choice helper classes
Or maybe a good combination of both :-)

Regards
Leon

> -Ursprüngliche Nachricht-
> Von: Dave Newton [mailto:[EMAIL PROTECTED] 
> Gesendet: Montag, 18. Juli 2005 23:18
> An: Struts Users Mailing List
> Betreff: Re: Manually Instantiating Action classes
> 
> a k wrote:
> 
> >What is a better way in this scenario? In particular, is it bad to 
> >manually instantiate Action classes?
> >  
> >
> I don't know if it's "bad" per se, but if it's shared 
> functionality then from an architectural standpoint I would 
> think it'd better to move it into a helper class.
> 
> Dave
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Manually Instantiating Action classes

2005-07-18 Thread Leon Rosenberg
Agreed with dave, 
But maybe another point, 
You said you already have a class all actions extend, right?

Is it said somewhere that the actions can extend one class only? I mean, if
it's needed by the architecture, you can create a whole action hierarchy...
And if you'd need multiple inheritance - use delegates :-)

As to you another option, I know different people on this list like to
instantiate actions directly, but as for me, 
it's forbidden in my team, because it brings a lot of problems with
ressource sharing if you count to instantiate an action once, and do it
multiple times.

So in my opinion:
First choice action hierarchy
Second choice helper classes
Or maybe a good combination of both :-)

Regards
Leon

> -Ursprüngliche Nachricht-
> Von: Dave Newton [mailto:[EMAIL PROTECTED] 
> Gesendet: Montag, 18. Juli 2005 23:18
> An: Struts Users Mailing List
> Betreff: Re: Manually Instantiating Action classes
> 
> a k wrote:
> 
> >What is a better way in this scenario? In particular, is it bad to 
> >manually instantiate Action classes?
> >  
> >
> I don't know if it's "bad" per se, but if it's shared 
> functionality then from an architectural standpoint I would 
> think it'd better to move it into a helper class.
> 
> Dave
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper
Does anyone know of a good, complete implementation of a cross-site 
scripting filter for pre-processing user entered text that needs to be 
rendered as HTML? Obviously  / ${fn:escapeXml()} / etc. aren't the 
right solution ;-) but there's nothing in standard JSTL or Struts (that I 
know of) that is.


Any pointers appreciated!

L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Cancel and Populating...

2005-07-18 Thread Laurie Harper

Mariano Petrakovsky wrote:

  I have a Cancel Button in my page... when it's submit, populating error
occurs...
  In jsf, it's solutionated by the immediante attribute to false. How is in
struts?...

  (When Cancel, i want forward to another page... nothing more :) )


What error do you get on submit? Do you mean you get validation errors? If 
so and you're using he Validator framework, you can use  to 
render your cancel button, which will turn off validation when it's 
clicked. See:


http://struts.apache.org/userGuide/struts-html.html#cancel


· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
· · · ·


Here are some more for your collection: . . . . . . .

:-)

--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Cancel and Populating...

2005-07-18 Thread Martin Gainty

Mariano-
I take you have already identified your ActionForwards with something like 
this in your struts-config.xml?


 
 

Saludos Cordiales,
M-
- Original Message - 
From: "Mariano Petrakovsky" <[EMAIL PROTECTED]>

To: "Lista de correo de Struts" 
Sent: Monday, July 18, 2005 2:52 PM
Subject: Cancel and Populating...




 I have a Cancel Button in my page... when it's submit, populating error
occurs...
 In jsf, it's solutionated by the immediante attribute to false. How is in
struts?...

 (When Cancel, i want forward to another page... nothing more :) )

--
Mariano G. Petrakovsky
Programmer · Software Factory
AXG Tecnonexo -  www.tecnonexo.com

Development facilities:Av. Maipú 1252 8º (C1006ACT) · Buenos Aires ·
Argentina.
Tel.: (54-11) 4878-0005 - Fax: (54-11) 4878-0065.

Headquarters: 1604 Spring Hill Road, Suite 160 Vienna · VA 22182 · USA.
Tel.: (202) 986-7541 - Fax: (202) 787-3891.


· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 
·
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 
·

· · · ·




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: How do you create a Validator rule to compare 3 fields

2005-07-18 Thread Joe Germuska

At 1:36 PM -0400 7/18/05, Laurie Harper wrote:

Harland, David wrote:

I have three checkboxes that can all either be unchecked or only one can
be checked.

How do I create a Validator rule for this. I don't think it is possible
to do this neatly as I think you will always get more than one of the
same error message. Can someone please tell me if I am right.


You may be able to do what you want with validwhen, though it might 
get a bit hairy. If only one checkbox should be selected, maybe you 
could use radio buttons instead? Failing that, you may need to plug 
in your own custom validator (see [1] for details).


There is an open Bugzilla ticket which offers a powerful "expression" 
validator to Struts; it was written by one of my colleagues, and I 
think it's pretty hot stuff.  There are some discussions underway 
about the best way to add it to Struts right now, but in the 
meantime, if you were so motivated, you could pick your way through 
the ticket and apply the patches to your own project.


It works well and once you have it implemented, it's quite 
straightforward (much more so, in my opinion, than "validwhen" or 
"requiredif").  If you just create all the specified new classes in 
your project's own package space and add dependencies to a few 
things, you should be all set.


See http://issues.apache.org/bugzilla/show_bug.cgi?id=34849

Joe

--
Joe Germuska
[EMAIL PROTECTED]  
http://blog.germuska.com
"Narrow minds are weapons made for mass destruction"  -The Ex


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [OT] Cross-site scripting filters

2005-07-18 Thread Laurie Harper

Frank W. Zammetti wrote:


Not a problem...

http://javawebparts.sourceforge.net/javadocs/index.html

In the javawebparts.filter package, you should see the
CrossSiteScriptingFilter.

This will filter any incoming parameters, and optionally attributes (good
for if your forwarding somewhere) for a list of characters (you can alter
what it looks for via regex).


Ah, I initially skipped that package, thinking a servlet filter wasn't 
really what I was after. Browsing through the code, it seems I was right.


For one thing, I want to filter text on output, not filter request 
parameters on input. But more important, your filter only checks for (and 
rejects) anything with a few particular characters -- all of which are 
valid in most cases from an XSS-prevention standpoint.


For what it's worth, injecting XSS attacks through that filter is pretty 
easy. For example, the following wouldn't be caught:


  

I'm hoping I can find something that addresses all the nefarious XSS 
strategies out there. It's not easy to implement something that's complete, 
especially when you try to deal with embedded CSS in the HTML you're trying 
to sanitize...!


Thanks for the link though :-)
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: instantiation of actionforms in session scope

2005-07-18 Thread BHansard

There could be several poteintal problems.

1)  make sure the JSP does not have the session=false page directive set.
2)  Make sure you are referencing the form using the same name as you have it defined in the struts config (remember capitalization does count).
3)  Make sure you are accessing the form from within the html:form tag and that the struts action specified in the form action has the expected form as the type in the struts config.


Martin Morawetz <[EMAIL PROTECTED]>








Martin Morawetz <[EMAIL PROTECTED]> 
07/18/2005 12:57 PM

Please respond to
"Struts Users Mailing List" 








To
user@struts.apache.org


cc



Subject
instantiation of actionforms in session scope








Hi to all,

I use a formbean within session-scope (declared in
struts-config.xml). However it behaves like it would
be within request-scope. Every new page it gets
instantiated again. I checked the sessionid and
it is every page the same, so I guess am within the
same http-session.

Does anyone have some ideas what the reason may be?

Every hint is highly appreciated.

--
Regards
Martin


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





Re: How do you create a Validator rule to compare 3 fields

2005-07-18 Thread Jeff Beal
Have you considered using radio buttons instead of checkboxes?  From a
UI standpoint, I think that would make more sense.

That aside, I do not know of any easy way to do this sort of
validation using the Validator plugin.  I would override the validate
method in my action form for just those properties:

public class CustomForm extends ValidatorActionForm {

// Getters / setters

public ActionErrors validate(mapping, request) {
   ActionErrors errors = super.validate(mapping,request); // this will
use the Validator framework
  if (!checkbox1 && !checkbox2 && !checkbox3) return errors;
  if ((checkbox1 && (checkbox2 || checkbox3)) ||
 (checkbox2 && checkbox3) {
 // add an ActionError to errors here
  }
 return errors;
}

}

-- Jeff

On 7/18/05, Harland, David <[EMAIL PROTECTED]> wrote:
> I have three checkboxes that can all either be unchecked or only one can
> be checked.
> 
> How do I create a Validator rule for this. I don't think it is possible
> to do this neatly as I think you will always get more than one of the
> same error message. Can someone please tell me if I am right.
> 
> Thanks
> 
> Dave.
> 
> This e mail is from DLA Piper Rudnick Gray Cary UK LLP.
> 
> The contents of this email and any attachments are confidential to the 
> intended recipient. They may not be disclosed to or used by or copied in any 
> way by anyone other than the intended recipient. If this email is received in 
> error, please contact DLA Piper Rudnick Gray Cary UK LLP on +44 (0) 8700 
> 11 quoting the name of the sender and the email address to which it has 
> been sent and then delete it.
> 
> Please note that neither DLA Piper Rudnick Gray Cary UK LLP nor the sender 
> accept any responsibility for viruses and it is your responsibility to scan 
> or otherwise check this email and any attachments.
> 
> DLA Piper Rudnick Gray Cary UK LLP is a limited liability partnership 
> registered in England and Wales (registered number OC307847) which provides 
> services from offices in England, Belgium, Germany and the People's Republic 
> of China.  A list of members is open for inspection at its registered office 
> and principal place of business 3 Noble Street, London EC2V 7EE.  Partner 
> denotes member of a limited liability partnership.
> 
> DLA Piper Rudnick Gray Cary UK LLP is regulated by the Law Society and is a 
> member of DLA Piper Rudnick Gray Cary, a global legal services organisation, 
> the members of which are separate and distinct legal entities.  For further 
> information, please refer to www.dlapiper.com.
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: saving a DynaForm

2005-07-18 Thread Laurie Harper

Dewitte Rémi wrote:

Hello !
I uses LazyDynaForm to gather user results. 
Now I'd like to save those results. All persisence framework are for POJO, do 
you know a common solution ?

May I create a POJO to make the transition/link ?


It all depends on your requirements and what persistence technologies you 
want to use. As Martin said, your LazyDynaForms are Serializable so you can 
write them to an object stream as with any other Serializable class. Many 
persistence frameworks, including (most?) ORM tools can persist 
Serializable instances directly.


Your other option is to define a concrete POJO which you can map to 
persistent storage using your chosen solution and copy data from your 
LazyDyanForm into your POJO prior to persisting. BeanUtils can make it 
pretty trivial (sometimes as little as a single line of code) to manage the 
copying of data between form beans and POJOs.


If that doesn't help, you might want to post a more detailed description of 
what you want to do.


L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: I need help running an example

2005-07-18 Thread Laurie Harper

Stéphane Zuckerman wrote:
First of all, you should understand that using JBoss, Tomcat (which 
implicitly is run under JBoss), or any other application server doesn't 
change anything. If you embed the right libraries (jar, ear, war, 
whatever), everything should work fine for your server. Anything else is 
a problem coming from your web app.


Not necessarily. The code snipet below is checking for an authenticated 
user's authroized roles. If the app is depending on contain managed 
security, it's dependant on vendor-specific configuration. Simply deploying 
the war file isn't enough to get it working.








 


This piece of code just means that if the role "Administrator" has been 
defined for the current user, then it should display the "submit" 
button. Otherwise, the submit does nothing.


Right. So you need to follow the documentation supplied with the 
application and/or look up the relevant info in the JBoss docs on setting 
up the required users and roles.


L.
--
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/laurie


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



instantiation of actionforms in session scope

2005-07-18 Thread Martin Morawetz

Hi to all,

I use a formbean within session-scope (declared in
struts-config.xml). However it behaves like it would
be within request-scope. Every new page it gets
instantiated again. I checked the sessionid and
it is every page the same, so I guess am within the
same http-session.

Does anyone have some ideas what the reason may be?

Every hint is highly appreciated.

--
Regards
Martin


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: How do you create a Validator rule to compare 3 fields

2005-07-18 Thread Glen Mazza
Pardon the non-answer (and I would encourage anyone who knows how to 
validate interdependent checkboxes to respond), but ordinarily using 
four radio buttons (the fourth being a "none" radio button, selected by 
default) would be the more standard GUI choice, and one for which you 
can forgo validation.


Still, if you go with validating & returning errors on checkboxes, note 
that checkbox state retention issues may need to be tended to, as 
described from page 123 of the Struts Survival Guide[1].


Glen

[1] http://www.objectsource.com/Struts_Survival_Guide.pdf



Harland, David wrote:


I have three checkboxes that can all either be unchecked or only one can
be checked.

How do I create a Validator rule for this. I don't think it is possible
to do this neatly as I think you will always get more than one of the
same error message. Can someone please tell me if I am right.

Thanks

Dave.

This e mail is from DLA Piper Rudnick Gray Cary UK LLP.

The contents of this email and any attachments are confidential to the intended 
recipient. They may not be disclosed to or used by or copied in any way by 
anyone other than the intended recipient. If this email is received in error, 
please contact DLA Piper Rudnick Gray Cary UK LLP on +44 (0) 8700 11 
quoting the name of the sender and the email address to which it has been sent 
and then delete it.

Please note that neither DLA Piper Rudnick Gray Cary UK LLP nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. 


DLA Piper Rudnick Gray Cary UK LLP is a limited liability partnership 
registered in England and Wales (registered number OC307847) which provides 
services from offices in England, Belgium, Germany and the People's Republic of 
China.  A list of members is open for inspection at its registered office and 
principal place of business 3 Noble Street, London EC2V 7EE.  Partner denotes 
member of a limited liability partnership.

DLA Piper Rudnick Gray Cary UK LLP is regulated by the Law Society and is a 
member of DLA Piper Rudnick Gray Cary, a global legal services organisation, 
the members of which are separate and distinct legal entities.  For further 
information, please refer to www.dlapiper.com.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Martin Gainty

Good Morning Mike
There are a Number of options for implementing with request scope and manual 
validation explained by Rick Reumann

http://www.reumann.net/struts/articles/request_lists.jsp

I think its worth noting what Thomas Edison said of  weekend warriors
"I have not failed. I've just found 10,000 ways that won't work."-- Thomas 
Edison


- Original Message - 
From: "Mike Elliott" <[EMAIL PROTECTED]>

To: "Struts Users Mailing List" 
Sent: Monday, July 18, 2005 10:55 AM
Subject: Re: Iterate over list in in list in form bean.


On 7/13/05, Jörg Eichhorn <[EMAIL PROTECTED]> wrote:


thanks for the hint and example. I've choosen the nested way to do this,
because i
think this makes the jsp code more readable.

I there a way to do the same using request scope?
When i do this i get an exception because the collection is not re-filled
anymore.


This is the same question I have, but of course I'm a week late in
asking it.  However, I noticed that no one answered  Jörg's version so
I'll ask it again:

 Is there a way to do the same using request scope?

I've been beating my head against this all weekend to no avail.  I
understand how to do this in session scope, but don't know if it's
even possible in request scope.

As I understand things (which may be wrong), when the form is
submitted (in request scope) a new form bean is created and populated
with the values in the collection from the HTML form.  But, of course,
a newly created form won't know how many elements are in the form so
it can't pre-populate the collection with beans to be filled in.
Right?  So following this path leads to wailing, lamentation, gnashing
of teeth, rending of clothes and utter frustration.  Right?

If there is simply no way to do this, I'd really appreciate someone
letting me know so that I'm put out of my misery.  And, if someone
could suggest a workaround, I'd be most welcome.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: basic struts question using a Map in an ActionForm

2005-07-18 Thread Craig McClanahan
On 7/18/05, Rick Reumann <[EMAIL PROTECTED]> wrote:

> To me, this is very confusing. Why doesn't the html:property tag perform
> the same kind of logic as JSTL does? I would think I should be able to
> just do...
> 
> 
> 
> and not need to create a new accessor method name and the odd syntax (x) ?
> 

This is likely to be an artifact that the expression language syntax
used by  and friends, inherited from Commons BeanUtils,
preceeded the existence of the expression language used in JSTL by a
couple of years.  JSTL's (and JSF's ... uses the same evaluation
engine) expression languages are much more powerful and complete.


> Rick

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Nested Bean Validation

2005-07-18 Thread Van
On 7/18/05, Scott Purcell <[EMAIL PROTECTED]> wrote:
> So my question is as follows:
> When using struts, is a nested bean common? And if so, how do you validate 
> just one bean from the parent?
> 
> eg: Lets say that the bean lets call it "checkout" and inside it has the 
> users shipping information. So that bean will be called "shippinginfo"
> So the bean checkout has a shippinginfo bean in it. Now when the user 
> navigates to the html form where he can update the shippinginfo, contents, I 
> need to validate the shippinginfo, that exists inside checkout.
> 
> Can this be done, and if so is this the clean way to accomplish my task. Up 
> until now, I have basically created one bean, per html form so this is kind 
> of new to me.

Yes. It is easy to do. You use the same property reference syntax for
nested bean properties in your validation.xml file that you would use
to populate form fields automatically for your nested bean properties
using the Struts html taglib. For example, here is partial
validation.xml form element definition that specifies that the "city"
property of the nested "shippinginfo" bean is a required property:





...


> 
> Thanks,
> Scott

-Van
-- 
- Mike "Van" Riper
  [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Niall Pemberton
There are ways to resolve this, see this page on the wiki

http://wiki.apache.org/struts/StrutsCatalogLazyList

Niall

- Original Message - 
From: "Mike Elliott" <[EMAIL PROTECTED]>
Sent: Monday, July 18, 2005 3:55 PM


On 7/13/05, Jörg Eichhorn <[EMAIL PROTECTED]> wrote:

> thanks for the hint and example. I've choosen the nested way to do this,
> because i
> think this makes the jsp code more readable.
>
> I there a way to do the same using request scope?
> When i do this i get an exception because the collection is not re-filled
> anymore.

This is the same question I have, but of course I'm a week late in
asking it.  However, I noticed that no one answered  Jörg's version so
I'll ask it again:

  Is there a way to do the same using request scope?

I've been beating my head against this all weekend to no avail.  I
understand how to do this in session scope, but don't know if it's
even possible in request scope.

As I understand things (which may be wrong), when the form is
submitted (in request scope) a new form bean is created and populated
with the values in the collection from the HTML form.  But, of course,
a newly created form won't know how many elements are in the form so
it can't pre-populate the collection with beans to be filled in.
Right?  So following this path leads to wailing, lamentation, gnashing
of teeth, rending of clothes and utter frustration.  Right?

If there is simply no way to do this, I'd really appreciate someone
letting me know so that I'm put out of my misery.  And, if someone
could suggest a workaround, I'd be most welcome.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: basic struts question using a Map in an ActionForm

2005-07-18 Thread Rick Reumann

Rick Reumann wrote the following on 7/14/2005 4:26 PM:

Rick Reumann wrote the following on 7/14/2005 4:20 PM:


 From the FAQ I'm going to try this in my ActionForm..


 public Object getStringMapped(String key) {
return map.get(key);
}

public void setStringMapped(String key, Object value) {
map.put(key, value);
}



When in doubt look at the docs:)

The above worked fine..and then...





In relation to the above, I'm curious what is going on behind the scenes 
(yea too lazy to look it up:), because I'm curious why the ActionForm 
doesn't behave like a regular POJO with JSTL.


For example... using JSTL and my POJO I'm doing this ..




YET, when I have to use this property in my form I need to create an 
extra getter "getMetadataMapped" and the property becomes...





To me, this is very confusing. Why doesn't the html:property tag perform 
the same kind of logic as JSTL does? I would think I should be able to 
just do...




and not need to create a new accessor method name and the odd syntax (x) ?



--
Rick

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Nested Bean Validation

2005-07-18 Thread Scott Purcell
Hello,

I would like some input into the following situation. I am diagraming a bean 
that will hold data for a checkout. Basically it will be a bean that will hold 
user_information, shipping_information, etc. So in effect the bean will hold 
other beans.

So my question is as follows:
When using struts, is a nested bean common? And if so, how do you validate just 
one bean from the parent?

eg: Lets say that the bean lets call it "checkout" and inside it has the users 
shipping information. So that bean will be called "shippinginfo"
So the bean checkout has a shippinginfo bean in it. Now when the user navigates 
to the html form where he can update the shippinginfo, contents, I need to 
validate the shippinginfo, that exists inside checkout.

Can this be done, and if so is this the clean way to accomplish my task. Up 
until now, I have basically created one bean, per html form so this is kind of 
new to me.

Thanks,
Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Calling validator rule direct from code

2005-07-18 Thread chhum
Thanks for this.  I think I’m going to have to go a bit outside of 
standard Struts functionality to do what I need to do but the validator 
is part of commons now of course so I can make code level calls that 
way.



Quoting Martin Gainty <[EMAIL PROTECTED]>:

> Good Morning Charles
> >From what I can gather there are 4 scenarios to instantiate a form
> and 
> handle validation
> http://mail-archives.apache.org/mod_mbox/struts-user/200407.mbox/%
[EMAIL PROTECTED]
> 
> If you decide to use option D) DynaValidatorForm then
> Take a look at Rick Reumann's site for example of usage
> http://www.reumann.net/struts/lesson3/step4.do
> HTH,
> Martin-
> 
> - Original Message - 
> From: <[EMAIL PROTECTED]>
> To: "Struts Users Mailing List" 
> Sent: Monday, July 18, 2005 7:11 AM
> Subject: Calling validator rule direct from code
> 
> 
> > Hi,
> >
> > Using Tomcat 5,   I have an application which builds a multipage
> web
> > form based on data from a database and user input.  I'd like to be
> able
> > to use the validtator to it but can't determine the required
> fields
> > until run time.  I was wondering how I could use the pre-build
> > validator rules in this situation.  It is possible to explicitly
> call a
> > validator rule directly from a servlet.For example suppose I
> wanted
> > to call the date validation rule passing it a string containing a
> date
> > field and a datePattern of mm/dd/.  Can this be done?  If so
> does
> > anyone have an example?  Or is there another way of solving this?
> >
> >
> > Thanks,
> >
> > Charles
> >
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Iterate over list in in list in form bean.

2005-07-18 Thread Mike Elliott
On 7/13/05, Jörg Eichhorn <[EMAIL PROTECTED]> wrote:

> thanks for the hint and example. I've choosen the nested way to do this,
> because i
> think this makes the jsp code more readable.
> 
> I there a way to do the same using request scope?
> When i do this i get an exception because the collection is not re-filled
> anymore.

This is the same question I have, but of course I'm a week late in
asking it.  However, I noticed that no one answered  Jörg's version so
I'll ask it again:

  Is there a way to do the same using request scope?

I've been beating my head against this all weekend to no avail.  I
understand how to do this in session scope, but don't know if it's
even possible in request scope.

As I understand things (which may be wrong), when the form is
submitted (in request scope) a new form bean is created and populated
with the values in the collection from the HTML form.  But, of course,
a newly created form won't know how many elements are in the form so
it can't pre-populate the collection with beans to be filled in. 
Right?  So following this path leads to wailing, lamentation, gnashing
of teeth, rending of clothes and utter frustration.  Right?

If there is simply no way to do this, I'd really appreciate someone
letting me know so that I'm put out of my misery.  And, if someone
could suggest a workaround, I'd be most welcome.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: saving a DynaForm

2005-07-18 Thread Martin Gainty

Rémi
The Base Class of LazyDynaForm is ActionForm .. to quote the doc on 
ActionForm
ActionForms are JavaBeans, subclasses should also implement Serializable, as 
required by the JavaBean specification
Implementing Serializable interface would effectively 'save' your 
LazyDynaForm attributes

Anyone else ??
Bon Chance,
Martin-
- Original Message - 
From: "Dewitte Rémi" <[EMAIL PROTECTED]>

To: "Struts Users Mailing List" 
Sent: Monday, July 18, 2005 11:41 AM
Subject: saving a DynaForm



Hello !
I uses LazyDynaForm to gather user results.
Now I'd like to save those results. All persisence framework are for POJO, 
do

you know a common solution ?
May I create a POJO to make the transition/link ?
Thanks

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Token element wrapped with a div tag

2005-07-18 Thread glenn . deschenes
Thanks Niall for your time and patience.

- Glenn



"Niall Pemberton" <[EMAIL PROTECTED]> 
18/07/2005 10:33 AM
Please respond to
"Struts Users Mailing List" 


To
"Struts Users Mailing List" 
cc

Subject
Re: Token element wrapped with a div tag






Sorry, my reply wasn't very verbose. That bug is fixed in Version 1.2.7 -
which is why you're seeing the  elements.

Generally we're not very good at actually "closing" bugs - once they're
marked as "RESOLVED" they don't generally get any more attention. So if 
you
see "RESOLVED FIXED" then it means its been done. Finding out whether a 
fix
has made it into a released version or is just currently in the current 
svn
repository is another matter. The release notes usually contain details of
fixed bugs so thats probably the easiest way, if you know the bug number.

http://struts.apache.org/userGuide/release-notes.html

Niall

- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" 
Sent: Monday, July 18, 2005 1:55 PM
Subject: Re: Token element wrapped with a div tag


> Thanks Niall.
>
> It did not occur to me to check the ASF Bugzilla for Struts [I will
> remember for the next time].
> I'm not familiar with the Status... since it is not yet closed.. this
> means that the bug is not yet fixed in version 1.2.7 ?
>
> - Glenn
>
>
> "Niall Pemberton" <[EMAIL PROTECTED]>
> 18/07/2005 08:38 AM
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=32016
>
> Niall
>
> - Original Message - 
> From: <[EMAIL PROTECTED]>
> Sent: Thursday, July 14, 2005 4:11 PM
>
>
> > Hi,
> >
> > Just curious as to why in the JSP the token is wrapped in a div tag?
> >
> >  > value="383952ea7a0093448e02f3f0d635865b">
> >
> > I'm using v1.2.7.
> >
> > Regards,
> > Glenn



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





How do you create a Validator rule to compare 3 fields

2005-07-18 Thread Harland, David
I have three checkboxes that can all either be unchecked or only one can
be checked.

How do I create a Validator rule for this. I don't think it is possible
to do this neatly as I think you will always get more than one of the
same error message. Can someone please tell me if I am right.

Thanks

Dave.

This e mail is from DLA Piper Rudnick Gray Cary UK LLP.

The contents of this email and any attachments are confidential to the intended 
recipient. They may not be disclosed to or used by or copied in any way by 
anyone other than the intended recipient. If this email is received in error, 
please contact DLA Piper Rudnick Gray Cary UK LLP on +44 (0) 8700 11 
quoting the name of the sender and the email address to which it has been sent 
and then delete it.

Please note that neither DLA Piper Rudnick Gray Cary UK LLP nor the sender 
accept any responsibility for viruses and it is your responsibility to scan or 
otherwise check this email and any attachments. 

DLA Piper Rudnick Gray Cary UK LLP is a limited liability partnership 
registered in England and Wales (registered number OC307847) which provides 
services from offices in England, Belgium, Germany and the People's Republic of 
China.  A list of members is open for inspection at its registered office and 
principal place of business 3 Noble Street, London EC2V 7EE.  Partner denotes 
member of a limited liability partnership.

DLA Piper Rudnick Gray Cary UK LLP is regulated by the Law Society and is a 
member of DLA Piper Rudnick Gray Cary, a global legal services organisation, 
the members of which are separate and distinct legal entities.  For further 
information, please refer to www.dlapiper.com.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Token element wrapped with a div tag

2005-07-18 Thread Niall Pemberton
Sorry, my reply wasn't very verbose. That bug is fixed in Version 1.2.7 -
which is why you're seeing the  elements.

Generally we're not very good at actually "closing" bugs - once they're
marked as "RESOLVED" they don't generally get any more attention. So if you
see "RESOLVED FIXED" then it means its been done. Finding out whether a fix
has made it into a released version or is just currently in the current svn
repository is another matter. The release notes usually contain details of
fixed bugs so thats probably the easiest way, if you know the bug number.

http://struts.apache.org/userGuide/release-notes.html

Niall

- Original Message - 
From: <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" 
Sent: Monday, July 18, 2005 1:55 PM
Subject: Re: Token element wrapped with a div tag


> Thanks Niall.
>
> It did not occur to me to check the ASF Bugzilla for Struts [I will
> remember for the next time].
> I'm not familiar with the Status... since it is not yet closed.. this
> means that the bug is not yet fixed in version 1.2.7 ?
>
> - Glenn
>
>
> "Niall Pemberton" <[EMAIL PROTECTED]>
> 18/07/2005 08:38 AM
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=32016
>
> Niall
>
> - Original Message - 
> From: <[EMAIL PROTECTED]>
> Sent: Thursday, July 14, 2005 4:11 PM
>
>
> > Hi,
> >
> > Just curious as to why in the JSP the token is wrapped in a div tag?
> >
> >  > value="383952ea7a0093448e02f3f0d635865b">
> >
> > I'm using v1.2.7.
> >
> > Regards,
> > Glenn



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: whats new with struts?? no beta for download

2005-07-18 Thread Niall Pemberton
1) Struts 1.2.x
==

There isn't a current beta to download, but we recently (May 2005) released
version 1.2.7 which has been classified as "ga" quality. Details of changes
since Version 1.2.4 are available in the release notes:

http://struts.apache.org/userGuide/release-notes.html

2) Struts 1.3.x
==

The current development version is Struts 1.3 which is provides a
RequestProcessor based on Commons Chain. Theres a couple of good articles on
Commons Chain written by Bill Siggelkow, with the second one describing how
Struts uses it:

http://www.onjava.com/pub/a/onjava/2005/03/02/commonchains.html
http://www.onjava.com/pub/a/onjava/2005/03/02/commonchains2.html

If you want to try 1.3 out, you can download a nightly build here

http://svn.apache.org/builds/struts/maven/trunk/nightly/

Hopefully, we will get round to pushing a beta version out soon - but none
of us know the timetable until someone actually gets round to doing it.

3) Shale
==

Shale is an alternative to "classic struts" - which is based on JSF. Details
can be found here:

http://struts.apache.org/shale/index.html

Shale hasn't yet been released, but there are nightlies you can download.


Niall

- Original Message - 
From: "Ashish Kulkarni" <[EMAIL PROTECTED]>
Sent: Monday, July 18, 2005 1:41 PM


> Hello
> I have been using struts for a while now, i did some
> upgrade to 1.2.4 few months ago(may be 6 i dont
> remmember) since then i was busy with some thing else
> so lost touch with whats happening in struts.
> I went to http://struts.apache.org to find out more
> and was surprized to see that there is no eta version
> for download?
> there where new stuff like shale (i guess is long time
> now) and integration with JSF,
> so why is there no beta available for download?
> when will be the next release of struts and what new
> things will be included in it
> Is there still a debate going on bewteen struts and
> JSF
> Ashish



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



saving a DynaForm

2005-07-18 Thread Dewitte Rémi
Hello !
I uses LazyDynaForm to gather user results. 
Now I'd like to save those results. All persisence framework are for POJO, do 
you know a common solution ?
May I create a POJO to make the transition/link ?
Thanks

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: whats new with struts?? no beta for download

2005-07-18 Thread Martin Gainty

Certainly Struts has a larger production base
But as JSF is built on a 'Page Controller Pattern' model instead of  'Action 
Controller Pattern'

(Component Action Handlers are supported)
I would encourage you to read Implementing in JSF vs Struts article 
available from Roland Barcia

http://websphere.sys-con.com/read/46516.htm
M-
- Original Message - 
From: "Ashish Kulkarni" <[EMAIL PROTECTED]>

To: 
Sent: Monday, July 18, 2005 8:41 AM
Subject: whats new with struts?? no beta for download



Hello
I have been using struts for a while now, i did some
upgrade to 1.2.4 few months ago(may be 6 i dont
remmember) since then i was busy with some thing else
so lost touch with whats happening in struts.
I went to http://struts.apache.org to find out more
and was surprized to see that there is no eta version
for download?
there where new stuff like shale (i guess is long time
now) and integration with JSF,
so why is there no beta available for download?
when will be the next release of struts and what new
things will be included in it
Is there still a debate going on bewteen struts and
JSF
Ashish

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: URL Encoding

2005-07-18 Thread Jeff Beal
Have you looked at the html:link tag?
(http://struts.apache.org/userGuide/struts-html.html#link)

Link text

On 7/18/05, Senthilrajan VS <[EMAIL PROTECTED]> wrote:
> Hi All,
> 
> I am calling the action directly using the hyper link, for example 
> /sample.do?table=test. The values for this action is generated dynamically. I 
> want to Encode this URL. Is there any way to encode this URL.
> 
> Thanks & Regards,
> SenthilRajan VS
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: whats new with struts?? no beta for download

2005-07-18 Thread Martin Gainty


- Original Message - 
From: "Ashish Kulkarni" <[EMAIL PROTECTED]>

To: 
Sent: Monday, July 18, 2005 8:41 AM
Subject: whats new with struts?? no beta for download



Hello
I have been using struts for a while now, i did some
upgrade to 1.2.4 few months ago(may be 6 i dont
remmember) since then i was busy with some thing else
so lost touch with whats happening in struts.
I went to http://struts.apache.org to find out more
and was surprized to see that there is no eta version
for download? 
there where new stuff like shale (i guess is long time
now) and integration with JSF, 
so why is there no beta available for download? 
when will be the next release of struts and what new

things will be included in it
Is there still a debate going on bewteen struts and
JSF
Ashish

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: whats new with struts?? no beta for download

2005-07-18 Thread netsql

Ashish Kulkarni wrote:

Hello
I have been using struts for a while now, 



when will be the next release of struts 



I belive that you have been using Struts for a while. That's why you 
know the answer to you question as to when.


You can get any version or variation of Struts using TurtoiseSVN anytime 
you want using direction on home page.


.V


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



ApplicationException sample

2005-07-18 Thread Rivka Shisman
Hi all,

 

Can someone please attach a good sample of an ApplicationException,
BaseException & ServiceException classes?

An example of catching them in an Action class will be very helpful too.

 

 

Thanks a lot

Rivka

 

**
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  
the 
sender immediately and do not disclose the contents to anyone or make copies.

** eSafe scanned this email for viruses, vandals and malicious content. **
**

Re: Token element wrapped with a div tag

2005-07-18 Thread glenn . deschenes
Thanks Niall.

It did not occur to me to check the ASF Bugzilla for Struts [I will 
remember for the next time].
I'm not familiar with the Status... since it is not yet closed.. this 
means that the bug is not yet fixed in version 1.2.7 ?

- Glenn




"Niall Pemberton" <[EMAIL PROTECTED]> 
18/07/2005 08:38 AM
Please respond to
"Struts Users Mailing List" 


To
"Struts Users Mailing List" 
cc

Subject
Re: Token element wrapped with a div tag






http://issues.apache.org/bugzilla/show_bug.cgi?id=32016

Niall

- Original Message - 
From: <[EMAIL PROTECTED]>
Sent: Thursday, July 14, 2005 4:11 PM


> Hi,
> 
> Just curious as to why in the JSP the token is wrapped in a div tag?
> 
>  value="383952ea7a0093448e02f3f0d635865b">
> 
> I'm using v1.2.7.
> 
> Regards,
> Glenn


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





whats new with struts?? no beta for download

2005-07-18 Thread Ashish Kulkarni
Hello
I have been using struts for a while now, i did some
upgrade to 1.2.4 few months ago(may be 6 i dont
remmember) since then i was busy with some thing else
so lost touch with whats happening in struts.
I went to http://struts.apache.org to find out more
and was surprized to see that there is no eta version
for download? 
there where new stuff like shale (i guess is long time
now) and integration with JSF, 
so why is there no beta available for download? 
when will be the next release of struts and what new
things will be included in it
Is there still a debate going on bewteen struts and
JSF
Ashish

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Calling validator rule direct from code

2005-07-18 Thread Martin Gainty

Good Morning Charles
From what I can gather there are 4 scenarios to instantiate a form and 

handle validation
http://mail-archives.apache.org/mod_mbox/struts-user/200407.mbox/[EMAIL 
PROTECTED]

If you decide to use option D) DynaValidatorForm then
Take a look at Rick Reumann's site for example of usage
http://www.reumann.net/struts/lesson3/step4.do
HTH,
Martin-

- Original Message - 
From: <[EMAIL PROTECTED]>

To: "Struts Users Mailing List" 
Sent: Monday, July 18, 2005 7:11 AM
Subject: Calling validator rule direct from code



Hi,

Using Tomcat 5,   I have an application which builds a multipage web
form based on data from a database and user input.  I'd like to be able
to use the validtator to it but can't determine the required fields
until run time.  I was wondering how I could use the pre-build
validator rules in this situation.  It is possible to explicitly call a
validator rule directly from a servlet.For example suppose I wanted
to call the date validation rule passing it a string containing a date
field and a datePattern of mm/dd/.  Can this be done?  If so does
anyone have an example?  Or is there another way of solving this?


Thanks,

Charles


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Token element wrapped with a div tag

2005-07-18 Thread Niall Pemberton
http://issues.apache.org/bugzilla/show_bug.cgi?id=32016

Niall

- Original Message - 
From: <[EMAIL PROTECTED]>
Sent: Thursday, July 14, 2005 4:11 PM


> Hi,
> 
> Just curious as to why in the JSP the token is wrapped in a div tag?
> 
>  value="383952ea7a0093448e02f3f0d635865b">
> 
> I'm using v1.2.7.
> 
> Regards,
> Glenn


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: I need help running an example

2005-07-18 Thread Stéphane Zuckerman

Mohamed,

First of all, you should understand that using JBoss, Tomcat (which 
implicitly is run under JBoss), or any other application server doesn't 
change anything. If you embed the right libraries (jar, ear, war, 
whatever), everything should work fine for your server. Anything else is 
a problem coming from your web app.








 


This piece of code just means that if the role "Administrator" has been 
defined for the current user, then it should display the "submit" 
button. Otherwise, the submit does nothing.


--
Stéphane Zuckerman

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Token element wrapped with a div tag

2005-07-18 Thread glenn . deschenes
This is the JSP code snippet:

   
   

Here is the HTML source:

   
   

Here is code in my Action class:
// set the synchronization token
String token = generateToken(request);
httpSession.setAttribute(Globals.TRANSACTION_TOKEN_KEY, token);

- Glenn



Laurie Harper <[EMAIL PROTECTED]> 
Sent by: news <[EMAIL PROTECTED]>
14/07/2005 06:29 PM
Please respond to
"Struts Users Mailing List" 


To
user@struts.apache.org
cc

Subject
Re: Token element wrapped with a div tag






[EMAIL PROTECTED] wrote:
> Just curious as to why in the JSP the token is wrapped in a div tag?
> 
>  value="383952ea7a0093448e02f3f0d635865b">
> 
> I'm using v1.2.7.

What does your JSP look like?

L.
-- 
Laurie, Open Source advocate, Java geek and novice blogger:
http://www.holoweb.net/~laurie/


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





Re: URL Encoding

2005-07-18 Thread Yoge
Use  java.net.URLEncoder.encode method.


On 7/18/05, Senthilrajan VS <[EMAIL PROTECTED]> wrote:
> Hi All,
> 
> I am calling the action directly using the hyper link, for example 
> /sample.do?table=test. The values for this action is generated dynamically. I 
> want to Encode this URL. Is there any way to encode this URL.
> 
> Thanks & Regards,
> SenthilRajan VS
> 


-- 
--Yoge
9840425388

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Calling validator rule direct from code

2005-07-18 Thread chhum
Hi,

Using Tomcat 5,   I have an application which builds a multipage web 
form based on data from a database and user input.  I’d like to be able 
to use the validtator to it but can’t determine the required fields 
until run time.  I was wondering how I could use the pre-build 
validator rules in this situation.  It is possible to explicitly call a 
validator rule directly from a servlet.For example suppose I wanted 
to call the date validation rule passing it a string containing a date 
field and a datePattern of mm/dd/.  Can this be done?  If so does 
anyone have an example?  Or is there another way of solving this?


Thanks,

Charles


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



URL Encoding

2005-07-18 Thread Senthilrajan VS
Hi All,

I am calling the action directly using the hyper link, for example 
/sample.do?table=test. The values for this action is generated dynamically. I 
want to Encode this URL. Is there any way to encode this URL.

Thanks & Regards,
SenthilRajan VS

RE: I need help running an example

2005-07-18 Thread Marco Mistroni
Hello,
Probably you weren't logged in as 'Administrator'

Don't know details of why, since I don' tknow theapplication, but I am
Sure the instructions or readme file for the application will tell you
What to do..

Regards
marco

-Original Message-
From: Mohamed Fathi [mailto:[EMAIL PROTECTED] 
Sent: 18 July 2005 11:09
To: user@struts.apache.org
Subject: I need help running an example

Hi

I am new to Struts framework and I was trying to run a simple example
downloaded from "sourceforge" called "car-rental-system" it worked
fine on JBOSS except of a single problem. all buttons are disabled
when I opened the JSP file containing a submit button I found this
piece of code






 

I will be glade if anyone could explains to me what does it mean and
How could I get all button work on JBOSS

thanks in advance 
yours,
Mohamed Fathy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



I need help running an example

2005-07-18 Thread Mohamed Fathi
Hi

I am new to Struts framework and I was trying to run a simple example
downloaded from "sourceforge" called "car-rental-system" it worked
fine on JBOSS except of a single problem. all buttons are disabled
when I opened the JSP file containing a submit button I found this
piece of code






 

I will be glade if anyone could explains to me what does it mean and
How could I get all button work on JBOSS

thanks in advance 
yours,
Mohamed Fathy

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]