Very much a development judgment call. On the one hand a client can often do a much more user-friendly job of validation and error message generation. Also better performance if the server or the communication link is slow.
On the other hand (1) all "security" has to be on the server or someone may write their own client and get around it; and (2) you run the risk of rejecting something in the client that is actually valid on the server -- for example if the server is enhanced in some way down the road before you can enhance the client. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of David Crayford Sent: Wednesday, March 05, 2014 10:21 PM To: [email protected] Subject: Re: Validation of a resource name On 6/03/2014 2:11 PM, Arthur T. wrote: > On 5 Mar 2014 10:05:58 -0800, in bit.listserv.ibm-main > (Message-ID:<CADEq6i9SMRxz4fz3XNNTq+0eMWxk0E=ATqgA1w-AwHjCYjj84Q@mail. > gmail.com>) [email protected] (jan de decker) wrote: > >> I am building a small web application that interfaces with RACF. >> >> On the client side I only have the IBM default supplied classes. >> >> I want validate as much as possible on the client before sending it >> to the server. > > Never do validation on the client side. Someone might decide to > write their own client, or something else silly, just to get by > restrictions. It's especially important not to trust client-side > *security* validation. > That depends on what you're validating. If it's just syntax for a class name then validating on the client is surely better than pinging it off to a server. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
