I recall about 10 years ago a colleague told me a story about being sent
out to firefight a problem for a customer who had recently web enabled a
CICS application. The customer was worried because there was a dramatic
reduction in the number of transactions being processed per day, 85%
less. It turned out the users of the old green screen app used to fill
out a field and press "enter" repeatedly to navigate around the screen,
prompted by validation messages. The web app that replaced the green
screen did all of it's simple validation in JavaScript on the client, so
didn't need to run a server side transaction. When you consider the $$$
paid for mainframe MIPS that 85% reduction seems mighty attractive.
On 6/03/2014 10:04 PM, Charles Mills wrote:
Very much a development judgment call.
On the one hand a client can often do a much more user-friendly job of
validation and error message generation. Also better performance if the
server or the communication link is slow.
On the other hand (1) all "security" has to be on the server or someone may
write their own client and get around it; and (2) you run the risk of
rejecting something in the client that is actually valid on the server --
for example if the server is enhanced in some way down the road before you
can enhance the client.
Charles
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On
Behalf Of David Crayford
Sent: Wednesday, March 05, 2014 10:21 PM
To: [email protected]
Subject: Re: Validation of a resource name
On 6/03/2014 2:11 PM, Arthur T. wrote:
On 5 Mar 2014 10:05:58 -0800, in bit.listserv.ibm-main
(Message-ID:<CADEq6i9SMRxz4fz3XNNTq+0eMWxk0E=ATqgA1w-AwHjCYjj84Q@mail.
gmail.com>) [email protected] (jan de decker) wrote:
I am building a small web application that interfaces with RACF.
On the client side I only have the IBM default supplied classes.
I want validate as much as possible on the client before sending it
to the server.
Never do validation on the client side. Someone might decide to
write their own client, or something else silly, just to get by
restrictions. It's especially important not to trust client-side
*security* validation.
That depends on what you're validating. If it's just syntax for a class
name then validating on the client is surely better than pinging it off
to a server.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
