I would agree with that slightly. However with Struts 2 it is often conveinient to have fields which are simply your Hibernate domain models, especially if you are following paramsPrepareParams. You might have a form allowing them to change their name but not their signup date. My main concern was users setting dao/services to null or another value, as the setters for those are required by the Spring plugin. Is this a valid concern, is is possible to alter these?
----- Original message ----- From: "Brian Pontarelli" <[EMAIL PROTECTED]> To: "Struts Developers List" <dev@struts.apache.org> Date: Thu, 25 Oct 2007 09:53:15 -0600 Subject: Re: [S2] Annotations (was Plugins gone wild!) I tried to send a reply early, but it got rejected because it was HTML (oops). I'm wondering if this is just another layer of configuration to alleviate flawed designs. I always find that the web tier should be accessible and only reveal setters for things it wants to consume. If I want something protected I put it in a web-business-service tier where it is better protected and I can control the injection and settings and frameworks don't introduce dangerous automatic handling. -bp Martin Gilday wrote: > I've created an draft version and attached it to > https://issues.apache.org/struts/browse/WW-2274 > It is a little bit messy at the moment and could be trimmed down a bit, > but from my basic tests it seems to be working. > Currently it only works on simple parameter names, so if you have a > parameter called 'one.two' then it will not match as you only have a > field named 'one'. A quick way around this might be to simply trim the > parameter name to the first '.' > > > ----- Original message ----- > From: "Ted Husted" <[EMAIL PROTECTED]> > To: "Struts Developers List" <dev@struts.apache.org> > Date: Wed, 24 Oct 2007 14:52:16 -0400 > Subject: Re: [S2] Annotations (was Plugins gone wild!) > > On 10/23/07, Martin Gilday <[EMAIL PROTECTED]> wrote: > >> Well I am looking at the Parameter Filter Interceptor >> (http://cwiki.apache.org/WW/parameter-filter-interceptor.html) which I >> am proposing we complement by allowing the same thing with annotations. >> Currently we have a wizard like section in one of our sites which we are >> backing with Spring session scope beans. So the Struts2 Spring plugin >> injects it. To allow this we have a setMySessionBeanName(), which is >> public. So a user could call an action with a parameter >> mySessionBeanName.forename and change that value. You can stop that >> with the filter interceptor by defining mySessionBeanName as a blocked >> parameter name, I would prefer to mark it @NotAParameter. >> > > Why not @blocked and @allowed for the properties, and @defaultBlock > for the class? > > -Ted. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
