Thanks for the link, Kevin. It seems Robert listened to me! :-) http://code.google.com/p/tapestry5-cayenne/wiki/SecuringValueEncoders
For an externally-facing application (and even some internal), it seems pluggable encryption might be the best approach (you don't want to include actual encryption, though). These overly-secure types of applications rarely care about friendly URLs, from what I've seen thus far and many are form/POST-based. I'll check out more later. Thanks! On Sun, Apr 27, 2008 at 12:03 PM, Kevin Menard <[EMAIL PROTECTED]> wrote: > Hi Michael, > > We're looking to basically achieve feature parity with the Hibernate module > and then surpass it. We've got some pretty good stuff going on right now. > The simplest way forward was to include keys in the URLs, but we intend on > making things more secure going forward. > > If you want to get involved with discussions and what not, feel free to join > the group. It's pretty low volume: > > http://code.google.com/p/tapestry5-cayenne/ > > -- > Kevin > > > > > On 4/27/08 11:50 AM, "Michael Gentry" <[EMAIL PROTECTED]> wrote: > > > Hi Kevin, > > > > I'm just curious since I haven't been following Tapestry much lately > > (I'm in WebObjects land currently) if you are making a data squeezer > > (or whatever they are calling it in T5) for Cayenne? If so, is it > > just going to stuff primary keys into the HTML as hidden fields or be > > something more elaborate? The environments I've worked in tend to > > need data security and exposing the primary keys in the HTML would be > > a definite no-no. You never want to give the client/end-user a chance > > to hack the primary key values to try gain backdoor access to the > > data. > > > > Thanks! > > > > /dev/mrg > > > > > > On Sun, Apr 27, 2008 at 10:08 AM, Kevin Menard <[EMAIL PROTECTED]> wrote: > >> As part of the fix for CAY-574, we added a getPrimaryKeyNames() : > >> Collection<String> method to ObjEntity. This did the trick and allowed > >> DataObjectUtils to work. Unfortunately, it doesn't expose the PK type > >> information. > >> > >> As some of you likely know, I'm working on Tapestry5-Cayenne integration > >> module with Robert Zeigler. I'm trying to ensure the module works just > as > >> well for an ROP client as it does for traditional Cayenne server apps. > One > >> of the things we need to be able to handle is the coercion of keys to and > >> from String values. This implies knowledge of the key class type, which > is > >> currently unavailable in the client. > >> > >> I'm soliciting ideas on how to improve this. Off the top of my head, I'm > >> thinking something like the following: > >> > >> // Simple key-> value lookup. > >> String getPkClassName(String pkName) > >> > >> // Modification of existing method to allow PK lookups. > >> ObjAttribute getAttribute(String name, boolean includePks) > >> > >> // Rather than just have getPrimaryKeyNames(), return a mapping > >> // of the key name and its Java class. > >> Map<String, String> getPrimaryKeys() > >> > >> If possible, this is something I'd like to see squeezed in for 3.0M4, > >> because I'd really like that module to not have to rely on 3.0-SNAPSHOT. > >> > >> Thanks, > >> Kevin > >> > >> > >
