Re: Safari Extension update
It work's fine with Safari v 5.0 (6533.16) but not in nightly webkit v 5.0 (6533.16, r63854). Thank you for this usefull extension. Emmanuel Le 21 juil. 2010 à 18:30, Edgar Klein a écrit : I really like this extension :). On 2010-07-21, at 09:50 , ISHIMOTO Ken wrote: Version 0.86 Release WO Monitor 5 Links can be set now. would it be possible to display the WO Monitor links only if they are set to some values? For me the links don't seem to be working ... or do I have to do something specific after setting my monitor? I also unchecked the display WOdka (japanese) and it still shows the fields. DeployLinks.png Thank you for the great tool, Edgar On 2010/07/20, at 21:06, James Cicenia wrote: Great Perfect !! ... Though I could use more than two javamonitor entries! And, it will certainly put pressure on the bloggers being up there in the lights... but February? cheers - j- On Jul 20, 2010, at 1:54 PM, ISHIMOTO Ken wrote: Hi all WOs, New Version is available. Already installed User get the Update automatically. Whats new : http://www.webobjects.me/safari/woExtension/index.html * Show Hide japanese WO Content * 2 Places for WO Monitor * WO Community Link * Link to Help Page for further Infos. Thank you K's ROOM (ISHIMOTO Ken) [E-Mail] k...@ksroom.com [iChat:] ibase_...@mac.com [HP] http://www.ksroom.com/ _ This e-mail has not been scanned for viruses because it was written on an Mac, and there are NO Viruses on an Apple Computer. For further information visit http://www.apple.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/james%40jimijon.com This email sent to ja...@jimijon.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/ken%40ksroom.com This email sent to k...@ksroom.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/edgarhatesspam%40gmx.de This email sent to edgarhatess...@gmx.de ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/emgeze%40gmail.com This email sent to emg...@gmail.com Emmanuel GEZE emg...@gmail.com Les hémorragies cérébrales sont moins fréquentes chez les joueurs de football. Les cerveaux aussi... (P. Desproges) ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Does the ERXStaticResourceRequestHandler work with those compressed jarred resources?
Am 22.07.2010 um 05:00 schrieb Mr. G Brown: We only accept 5.4 fixes now, not issues. None of the comitters use or condone the use of 5.4 and thus we can't really test or debug problems with it. Note that the poster showed remarkable constraint. Now, if that was *me* who'd have written it, I'd have said something in the line of Go f*ck yourself with 5.4 already! So far I've wasted a lot of time on that crap release that doesn't do one thing we don't already have! Solve your own problems for a change or go cry to Apple! Cheers, Anjo PS: This product looks neat: http://www.reghardware.com/2010/07/21/tonecheck_angry_emails/ Pity it's windows only. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
WebObjects and HTML injection
Hi folks! Some of our customers are commissioning penetration testing reports, which are flagging vulnerabilities in our WebObjects applications. The problem reported is with URLs such as .../wa/MyDirectAction? wosid=XYZ%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E , direct actions that preserve the session ID, where the session ID can be manipulated (at the cost of no longer being a valid session ID) to enable injecting some executable JavaScript onto a webpage. In principle this is a vulnerability for various attacks such as XSS, SQL injection and so on. In practice, I'm confident there are no exploits in the apps for which I am responsible because any useful work is done via component actions; no valid session ID equals nothing useful served, and a valid session ID means you can get at what the app is supposed to let you be able to get at. But I'd like to tighten things up so that the penetration testing automated scanners find nothing because there's nothing to find. I myself am still (don't laugh) working with WO4.5.1. What are things like in 5.4.x? It seems to me that I ought to subclassing (or adding to existing subclasses) to override these: com.webobjects.appserver.WODirectAction public String getSessionIDForRequest(WORequest aRequest) public void takeFormValueArraysForKeyArray(NSArray aKeyArray) public void takeFormValuesForKeyArray(NSArray aKeyArray) public void takeValueForKey(Object value, String key) com.webobjects.appserver.WOComponent public void takeValuesFromRequest(WORequest aRequest, WOContext aContext) public void takeValueForKey(Object value, String key) in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? --- Regards Patrick OneStep Solutions Plc www.onestep.co.uk This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it. If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version. OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
Why would you preserve the session id when it's no longer valid? Cheers, Anjo Am 22.07.2010 um 13:28 schrieb Patrick Middleton: in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
If an Editing Context is disposed off?
Hi, Is there a way to check if an editing context is disposed so I could create new one? E.g. private EOEditingContext _editingContext; public EOEditingContext editingContext() { if(_editingContext == null) { // Or _editingContext is disposed off _editingContext = ERXEC.newEditingContext(); } return _editingContext; } I know I can do _editingContext = null after disposing the editing context but is there any alternative or a utility method? Farrukh ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Inverse to-one relationships
Hello, I know this topic comes up on the list from time to time, but I just need a quick sanity check. I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) At different times, I need to traverse this relationship in both directions. For any A, A.b() will give me the related B. But for the reverse direction, say I have a B and I want its A (if it has one), I have a custom method B.a() which does a fetch for the A such that A.b() is the B of interest. Sometimes, though, I just want to know if there is an A for a particular B, or whether it's null, and in this setting, the fetch is expensive. Here's where I need the sanity check: is there a way, given the constraints above, to model an inverse to-one relationship from B to A such that it appears as the inverse to EOF? That is, such that calling, say, A.addObjectToBothSidesOfRelationshipWithKey(B, b) does both A.setB(B) and B.setA(A)? I'm assuming there's not, as I certainly can't beat the model into doing it. I can work around it by doing the right thing at creation time for every A, I just wanted to know if I was missing something where EOF (or Wonder) would handle this automagically. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
One-to-optional-one relationship... Not doable as far as I know. In another discussion on the topic, Chuck Hill suggested: You could model it as a right-outer join and optional, but I think that EOF is still going to have a hissy fit when it does not find the row. Worth a try and a good bug to log with Apple if it does not work. Chuck Great idea. I gave that a shot, but it didn't work. Beyond that, I've considered modeling a typical one-to-many, applying a unique constraint to the FK, creating a method to get/set the relationship, and then register a custom EOClassDescription to replace the reported toMany with my getter/setter toOne. I haven't tried the custom EOClassDescription bit yet though. Ramsey On Jul 22, 2010, at 8:00 AM, Paul Hoadley wrote: Hello, I know this topic comes up on the list from time to time, but I just need a quick sanity check. I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) At different times, I need to traverse this relationship in both directions. For any A, A.b() will give me the related B. But for the reverse direction, say I have a B and I want its A (if it has one), I have a custom method B.a() which does a fetch for the A such that A.b() is the B of interest. Sometimes, though, I just want to know if there is an A for a particular B, or whether it's null, and in this setting, the fetch is expensive. Here's where I need the sanity check: is there a way, given the constraints above, to model an inverse to-one relationship from B to A such that it appears as the inverse to EOF? That is, such that calling, say, A.addObjectToBothSidesOfRelationshipWithKey(B, b) does both A.setB(B) and B.setA(A)? I'm assuming there's not, as I certainly can't beat the model into doing it. I can work around it by doing the right thing at creation time for every A, I just wanted to know if I was missing something where EOF (or Wonder) would handle this automagically. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 5:00 AM, Paul Hoadley wrote: Hello, I know this topic comes up on the list from time to time, but I just need a quick sanity check. Nope, not sane. :-) I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) At different times, I need to traverse this relationship in both directions. For any A, A.b() will give me the related B. But for the reverse direction, say I have a B and I want its A (if it has one), I have a custom method B.a() which does a fetch for the A such that A.b() is the B of interest. Sometimes, though, I just want to know if there is an A for a particular B, or whether it's null, and in this setting, the fetch is expensive. Here's where I need the sanity check: is there a way, given the constraints above, to model an inverse to-one relationship from B to A such that it appears as the inverse to EOF? That is, such that calling, say, A.addObjectToBothSidesOfRelationshipWithKey(B, b) does both A.setB(B) and B.setA(A)? I'm assuming there's not, as I certainly can't beat the model into doing it. I can work around it by doing the right thing at creation time for every A, I just wanted to know if I was missing something where EOF (or Wonder) would handle this automagically. How are you modeling these relationships? Chuck -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Safari Extension update
On 2010-07-22, at 01:16 , Emmanuel GEZE wrote: It work's fine with Safari v 5.0 (6533.16) but not in nightly webkit v 5.0 (6533.16, r63854). ... and here an article about it http://trac.webkit.org/wiki/FAQ cheers, Edgar Thank you for this usefull extension. Emmanuel Le 21 juil. 2010 à 18:30, Edgar Klein a écrit : I really like this extension :). On 2010-07-21, at 09:50 , ISHIMOTO Ken wrote: Version 0.86 Release WO Monitor 5 Links can be set now. would it be possible to display the WO Monitor links only if they are set to some values? For me the links don't seem to be working ... or do I have to do something specific after setting my monitor? I also unchecked the display WOdka (japanese) and it still shows the fields. DeployLinks.png Thank you for the great tool, Edgar On 2010/07/20, at 21:06, James Cicenia wrote: Great Perfect !! ... Though I could use more than two javamonitor entries! And, it will certainly put pressure on the bloggers being up there in the lights... but February? cheers - j- On Jul 20, 2010, at 1:54 PM, ISHIMOTO Ken wrote: Hi all WOs, New Version is available. Already installed User get the Update automatically. Whats new : http://www.webobjects.me/safari/woExtension/index.html * Show Hide japanese WO Content * 2 Places for WO Monitor * WO Community Link * Link to Help Page for further Infos. Thank you K's ROOM (ISHIMOTO Ken) [E-Mail] k...@ksroom.com [iChat:] ibase_...@mac.com [HP] http://www.ksroom.com/ _ This e-mail has not been scanned for viruses because it was written on an Mac, and there are NO Viruses on an Apple Computer. For further information visit http://www.apple.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/james%40jimijon.com This email sent to ja...@jimijon.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/ken%40ksroom.com This email sent to k...@ksroom.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/edgarhatesspam%40gmx.de This email sent to edgarhatess...@gmx.de ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/emgeze%40gmail.com This email sent to emg...@gmail.com Emmanuel GEZE emg...@gmail.com Les hémorragies cérébrales sont moins fréquentes chez les joueurs de football. Les cerveaux aussi... (P. Desproges) ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/edgarhatesspam%40gmx.de This email sent to edgarhatess...@gmx.de ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
OT: Java desktop dev environments
Wow, Dave didn¹t use this as an opportunity to plug D2JC? ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
On 22 Jul 2010, at 12:49, Anjo Krank wrote: Why would you preserve the session id when it's no longer valid? Cheers, Anjo Am 22.07.2010 um 13:28 schrieb Patrick Middleton: in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? Preserve the session id when it's no longer valid? Anjo, are you saying my application should have sanitised its inputs? When I wrote the app I considered how a session ID might not be valid, and what the app would do: timed out: give a 'timed out' response page ought to exist, but the instance has crashed and restarted: give a 'timed out' response page redirected to the wrong instance by the load balancer: give a 'timed out' response page and so on. I didn't explicitly preserve the session ID. What I did not consider was someone cooking up an interesting bogus sessionID and then finding a page accessible by a direct action that had some component action URLs on it, so that in the event of the session ID not being valid, I would need to takes steps to ensure it did not appear in the response. Moreover, while the sessionID is an excellent place to start for anybody probing for security vulnerabilities in a WO app, it's not the only place -- I think every form value, cookie and CGI argument needs to be sanitised. --- Regards Patrick OneStep Solutions Plc www.onestep.co.uk This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it. If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version. OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
Wouldn't a simple check on hasSession do the trick? No session = no action = pageWithName(OhNoYouDidNot) -G On Jul 22, 2010, at 9:40 AM, Patrick Middleton patr...@onestep.co.uk wrote: On 22 Jul 2010, at 12:49, Anjo Krank wrote: Why would you preserve the session id when it's no longer valid? Cheers, Anjo Am 22.07.2010 um 13:28 schrieb Patrick Middleton: in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? Preserve the session id when it's no longer valid? Anjo, are you saying my application should have sanitised its inputs? When I wrote the app I considered how a session ID might not be valid, and what the app would do: timed out: give a 'timed out' response page ought to exist, but the instance has crashed and restarted: give a 'timed out' response page redirected to the wrong instance by the load balancer: give a 'timed out' response page and so on. I didn't explicitly preserve the session ID. What I did not consider was someone cooking up an interesting bogus sessionID and then finding a page accessible by a direct action that had some component action URLs on it, so that in the event of the session ID not being valid, I would need to takes steps to ensure it did not appear in the response. Moreover, while the sessionID is an excellent place to start for anybody probing for security vulnerabilities in a WO app, it's not the only place -- I think every form value, cookie and CGI argument needs to be sanitised. --- Regards Patrick OneStep Solutions Plc www.onestep.co.uk This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it. If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version. OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com This email sent to geo...@boxofficetickets.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
I don't follow: *is* this an actual problem with the default coding style? IMO, you wouldn't ever say oh noez! your session $ID is no longer valid! but I'll use it anyway. What *should* happen is that WO gives you a new page when the instance doesn't find the existing session (SessionExpired default or whatever). that page should have only the ID of a new session in it, certainly no mention of the old one. If that happens right now, then you don't have a problem. if it doesn't then you'd need to fix *that* as this is bogus behavior. Cheers, Anjo Am 22.07.2010 um 18:40 schrieb Patrick Middleton: On 22 Jul 2010, at 12:49, Anjo Krank wrote: Why would you preserve the session id when it's no longer valid? Cheers, Anjo Am 22.07.2010 um 13:28 schrieb Patrick Middleton: in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? Preserve the session id when it's no longer valid? Anjo, are you saying my application should have sanitised its inputs? When I wrote the app I considered how a session ID might not be valid, and what the app would do: timed out: give a 'timed out' response page ought to exist, but the instance has crashed and restarted: give a 'timed out' response page redirected to the wrong instance by the load balancer: give a 'timed out' response page and so on. I didn't explicitly preserve the session ID. What I did not consider was someone cooking up an interesting bogus sessionID and then finding a page accessible by a direct action that had some component action URLs on it, so that in the event of the session ID not being valid, I would need to takes steps to ensure it did not appear in the response. Moreover, while the sessionID is an excellent place to start for anybody probing for security vulnerabilities in a WO app, it's not the only place -- I think every form value, cookie and CGI argument needs to be sanitised. --- Regards Patrick OneStep Solutions Plc www.onestep.co.uk This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it. If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system. Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version. OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/anjo%40krank.net This email sent to a...@krank.net ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
On 22/07/2010, at 9:28 PM, Patrick Middleton wrote: Some of our customers are commissioning penetration testing reports, which are flagging vulnerabilities in our WebObjects applications. The problem reported is with URLs such as .../wa/MyDirectAction?wosid=XYZ%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E , direct actions that preserve the session ID, where the session ID can be manipulated (at the cost of no longer being a valid session ID) to enable injecting some executable JavaScript onto a webpage. In principle this is a vulnerability for various attacks such as XSS, SQL injection and so on. In practice, I'm confident there are no exploits in the apps for which I am responsible because any useful work is done via component actions; no valid session ID equals nothing useful served, and a valid session ID means you can get at what the app is supposed to let you be able to get at. But I'd like to tighten things up so that the penetration testing automated scanners find nothing because there's nothing to find. In addition to what Anjo's already said, have you considered storing your wosids in cookies so they're not in the url at all? I myself am still (don't laugh) working with WO4.5.1. Java or Objective-C? What are things like in 5.4.x? 4.5.x was before my time with WO, so can't compare. 53/54 are certainly more popular... It seems to me that I ought to subclassing (or adding to existing subclasses) to override these: com.webobjects.appserver.WODirectAction public String getSessionIDForRequest(WORequest aRequest) public void takeFormValueArraysForKeyArray(NSArray aKeyArray) public void takeFormValuesForKeyArray(NSArray aKeyArray) public void takeValueForKey(Object value, String key) com.webobjects.appserver.WOComponent public void takeValuesFromRequest(WORequest aRequest, WOContext aContext) public void takeValueForKey(Object value, String key) in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? How about just app.dispatchRequest and if any bogus input is provided return pageNotFound. with regards, -- Lachlan Deck ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Does the ERXStaticResourceRequestHandler work with those compressed jarred resources?
On 22/07/2010, at 1:00 PM, Mr. G Brown wrote: On Jul 21, 2010, at 8:12 PM, Mike Schrag wrote: Or your deployment needs fixing to not assume jar frameworks :) Mike: Now that you're moving (have moved?) to the inside... I'm sure you'll have need to broaden your horizons ;-) On Jul 21, 2010, at 12:29 AM, Lachlan Deck wrote: You'll find that the implementation for this needs fixing so that it doesn't assume *.framework resources. :-/ So public class ERXStaticResourceRequestHandler extends WORequestHandler , but you can just drop back to vanilla WORequestHandler? I think this issue was marked fixed, by going back to WORequestHandler? There needs to be a list of webobjects 5.3 vs 5.4 and the Wonder issues. I know Chuck as some 5.4 vs 5.3 differences. I also know that wocheckboxes need a work around in 5.4. Is anybody using 5.4? Yes. It is too bad that Wonder doesn't work so well with the jar frameworks; sometimes it does, sometimes it doesn't... If I had the need/time/opportunity I'd fix WONDER-461 etc. This is not only (if at all) a WO54 issue. My previous comment was not about WO but Wonder's ERXFileUtilities, for example. WOLips used to have similar issues. Anyway, as Mike said, patches welcome. with regards, -- Lachlan Deck ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: WebObjects and HTML injection
Check out http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API They have a very good Java based implementation of security code that you can integrate with your java based project to help you sanitize your user/externally provided data. It is not sufficient to check for script tags in your incoming data. There is a lot of other things that can cause cross site scripting, SQL injection, cross request forging, etc issues. The best approach is to provide a white list validation of every incoming parameter and check to see if the param matches expected range of values. Anything else is considered dangerous. The ESAPI framework has a very good white list param implementation. There are also methods for sanitizing XML, DB calls, request headers, javascript, LDAP calls, etc. The OWASP Top Ten list http://www.owasp.org/index.php/Top_Ten is a recognized list of top vulnerabilities that various penetration testing tools generate compliance reports against. Good Luck Dov Rosenberg On 7/22/10 4:04 PM, Lachlan Deck lachlan.d...@gmail.com wrote: On 22/07/2010, at 9:28 PM, Patrick Middleton wrote: Some of our customers are commissioning penetration testing reports, which are flagging vulnerabilities in our WebObjects applications. The problem reported is with URLs such as .../wa/MyDirectAction?wosid=XYZ%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3 E , direct actions that preserve the session ID, where the session ID can be manipulated (at the cost of no longer being a valid session ID) to enable injecting some executable JavaScript onto a webpage. In principle this is a vulnerability for various attacks such as XSS, SQL injection and so on. In practice, I'm confident there are no exploits in the apps for which I am responsible because any useful work is done via component actions; no valid session ID equals nothing useful served, and a valid session ID means you can get at what the app is supposed to let you be able to get at. But I'd like to tighten things up so that the penetration testing automated scanners find nothing because there's nothing to find. In addition to what Anjo's already said, have you considered storing your wosids in cookies so they're not in the url at all? I myself am still (don't laugh) working with WO4.5.1. Java or Objective-C? What are things like in 5.4.x? 4.5.x was before my time with WO, so can't compare. 53/54 are certainly more popular... It seems to me that I ought to subclassing (or adding to existing subclasses) to override these: com.webobjects.appserver.WODirectAction public String getSessionIDForRequest(WORequest aRequest) public void takeFormValueArraysForKeyArray(NSArray aKeyArray) public void takeFormValuesForKeyArray(NSArray aKeyArray) public void takeValueForKey(Object value, String key) com.webobjects.appserver.WOComponent public void takeValuesFromRequest(WORequest aRequest, WOContext aContext) public void takeValueForKey(Object value, String key) in order to sanitize inputs -- mostly by removing anything containing the likes of 'script'. What do you think? How about just app.dispatchRequest and if any bogus input is provided return pageNotFound. with regards, -- Lachlan Deck ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/drosenberg%40inquira.com This email sent to drosenb...@inquira.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: OT: Java desktop dev environments
Well, he did say non-WO, and that he actually wanted to write Swing instead of letting the rule engine do all that hard work for him. If a guy is a masochist, who am I to stand in the way? Now, stand around and watch? That I could _easily_ do all day, especially if there's beer involved. Dave On Jul 22, 2010, at 12:40 PM, Dawn Lockhart wrote: Wow, Dave didn’t use this as an opportunity to plug D2JC? ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/webobjects%40avendasora.com This email sent to webobje...@avendasora.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
Hi Paul, I'm not 100% clear on how this is modeled. 1) Does the A.b() relationship propagate PKs? 2) Are you saying that the A.b().a() may be null? In other words, are you saying A.fetchAllAs().valueForKey(B_KEY) may not return an Array with the same objects that B.fetchAllBs(ec, B.A.isNotNull()) ? Dave On Jul 22, 2010, at 8:00 AM, Paul Hoadley wrote: Hello, I know this topic comes up on the list from time to time, but I just need a quick sanity check. I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) At different times, I need to traverse this relationship in both directions. For any A, A.b() will give me the related B. But for the reverse direction, say I have a B and I want its A (if it has one), I have a custom method B.a() which does a fetch for the A such that A.b() is the B of interest. Sometimes, though, I just want to know if there is an A for a particular B, or whether it's null, and in this setting, the fetch is expensive. Here's where I need the sanity check: is there a way, given the constraints above, to model an inverse to-one relationship from B to A such that it appears as the inverse to EOF? That is, such that calling, say, A.addObjectToBothSidesOfRelationshipWithKey(B, b) does both A.setB(B) and B.setA(A)? I'm assuming there's not, as I certainly can't beat the model into doing it. I can work around it by doing the right thing at creation time for every A, I just wanted to know if I was missing something where EOF (or Wonder) would handle this automagically. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/webobjects%40avendasora.com This email sent to webobje...@avendasora.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
OT: WO Wiki search less than helpful
I was trying out the new extension, and wanted to see what I last posted on ERModernLook (or if I ever did get around to adding my notes). I was lazy, and did a search for ERModern but came up blank. Only by searching full names like ERModernLook did results come up. This is relative to the search provided by Confluence. Is there a way that searches on substrings is supposed to work there? Considering WebObjects is the land of the VeryLongAndHardToRememberExactOrderingMethodNames, I thought perhaps this was something to bring up. Relying on google doesn't help much, as it doesn't always direct me to the real meat at the objectstyle wiki or even find things there. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: OT: WO Wiki search less than helpful
Hi Joe, I've been really impressed with the updated confluence site itself. attachment: search_on_confluence_site.jpg inline: search on confluence site.jpg The search has become especially useful to me. I hope that the extension can match it, but if not, the confluence wiki itself is still only a click away. And no, I don't think you put up your notes about ERModernLook. I am pretty sure I would have seen them. d On 22-Jul-10, at 2:04 PM, Joe Little wrote: I was trying out the new extension, and wanted to see what I last posted on ERModernLook (or if I ever did get around to adding my notes). I was lazy, and did a search for ERModern but came up blank. Only by searching full names like ERModernLook did results come up. This is relative to the search provided by Confluence. Is there a way that searches on substrings is supposed to work there? Considering WebObjects is the land of the VeryLongAndHardToRememberExactOrderingMethodNames, I thought perhaps this was something to bring up. Relying on google doesn't help much, as it doesn't always direct me to the real meat at the objectstyle wiki or even find things there. ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/programmingosx %40mac.com This email sent to programming...@mac.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 22/07/2010, at 11:42 PM, Ramsey Gurley wrote: One-to-optional-one relationship... Not doable as far as I know. In another discussion on the topic, Chuck Hill suggested: You could model it as a right-outer join and optional, but I think that EOF is still going to have a hissy fit when it does not find the row. Worth a try and a good bug to log with Apple if it does not work. Chuck Great idea. I gave that a shot, but it didn't work. Beyond that, I've considered modeling a typical one-to-many, applying a unique constraint to the FK, creating a method to get/set the relationship, and then register a custom EOClassDescription to replace the reported toMany with my getter/setter toOne. I haven't tried the custom EOClassDescription bit yet though. Thanks Ramsey. That's pretty much what I thought. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 23/07/2010, at 12:09 AM, Chuck Hill wrote: I know this topic comes up on the list from time to time, but I just need a quick sanity check. Nope, not sane. :-) Well spotted. Now on with this: I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) How are you modeling these relationships? Originally, just this: a mandatory, to-one relationship from A to B. Consider it to be a parent (B) with optional child (A). Every child has a parent (hence the current mandatory to-one from A to B), and every parent has zero or one child. So I've tacked on an optional to-one relationship from B to A to model the latter. I take it there's no way to convince EOF that these relationships are inverses, and get the convenience of updating both sides of the relationship at the same time. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
Hi David, On 23/07/2010, at 6:33 AM, David Avendasora wrote: I'm not 100% clear on how this is modeled. 1) Does the A.b() relationship propagate PKs? No. 2) Are you saying that the A.b().a() may be null? No, never. A.b().a() would always give A. In other words, are you saying A.fetchAllAs().valueForKey(B_KEY) may not return an Array with the same objects that B.fetchAllBs(ec, B.A.isNotNull()) ? No, I'm not saying that. Those two expressions would return the same objects. Sorry, I should have tried to be clearer. Basically, I've got a parent object B (which will always be created first). At some point, B may obtain at most one child A, but it doesn't necessarily. So every B has zero or one child As. Every A has exactly one parent B. Currently I have a mandatory to-one relationship from A to B (so A knows its parent directly). To avoid some fetching, I have added an optional to-one relationship from B to A, so B knows its child if it has one. I assume there's no way to make these relationships inverses from EOF's perspective, and that I will just need to be careful about always setting the B to A relationship on creation of an A. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 2:56 PM, Paul Hoadley wrote: Sorry, I should have tried to be clearer. Basically, I've got a parent object B (which will always be created first). At some point, B may obtain at most one child A, but it doesn't necessarily. So every B has zero or one child As. Every A has exactly one parent B. Currently I have a mandatory to-one relationship from A to B (so A knows its parent directly). To avoid some fetching, I have added an optional to-one relationship from B to A, so B knows its child if it has one. I assume there's no way to make these relationships inverses from EOF's perspective, and that I will just need to be careful about always setting the B to A relationship on creation of an A. How did you model this? B hold's the PK of A as a FK? They each need a FK for the other, I think. Your relationships should be B.FKA == A.PK A.FKB == B.PK I think... -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 2:49 PM, Paul Hoadley wrote: On 23/07/2010, at 12:09 AM, Chuck Hill wrote: I know this topic comes up on the list from time to time, but I just need a quick sanity check. Nope, not sane. :-) Well spotted. Now on with this: I have two entities, A and B. For every A, there is a corresponding B. For some subset of all Bs, each has a corresponding A. Currently I have modelled this with a single relationship from A to B, so that's a mandatory to-one relationship. (Alternatively, I could have modelled it with an optional to-one relationship from B to A.) How are you modeling these relationships? Originally, just this: a mandatory, to-one relationship from A to B. Consider it to be a parent (B) with optional child (A). Every child has a parent (hence the current mandatory to-one from A to B), and every parent has zero or one child. So I've tacked on an optional to-one relationship from B to A to model the latter. I take it there's no way to convince EOF that these relationships are inverses, and get the convenience of updating both sides of the relationship at the same time. Where are the FKs? B hold's A's PK as an FK? They both have the same PK? Chuck -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 23/07/2010, at 7:32 AM, Chuck Hill wrote: On Jul 22, 2010, at 2:56 PM, Paul Hoadley wrote: Sorry, I should have tried to be clearer. Basically, I've got a parent object B (which will always be created first). At some point, B may obtain at most one child A, but it doesn't necessarily. So every B has zero or one child As. Every A has exactly one parent B. Currently I have a mandatory to-one relationship from A to B (so A knows its parent directly). To avoid some fetching, I have added an optional to-one relationship from B to A, so B knows its child if it has one. I assume there's no way to make these relationships inverses from EOF's perspective, and that I will just need to be careful about always setting the B to A relationship on creation of an A. How did you model this? B hold's the PK of A as a FK? They each need a FK for the other, I think. Your relationships should be B.FKA == A.PK [1] A.FKB == B.PK [2] I think... Yeah, that's exactly what I've done. And [1] is optional (because not every B (parent) has an A (child)), and [2] is mandatory (because every A (child) has a B (parent)). But AFAICS, they're not being recognised as inverse relationships. Which is fine, because that's what my archive searching lead me to expect, but I wanted to, uh, go over it one more time. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 23/07/2010, at 7:42 AM, Chuck Hill wrote: How are you modeling these relationships? Originally, just this: a mandatory, to-one relationship from A to B. Consider it to be a parent (B) with optional child (A). Every child has a parent (hence the current mandatory to-one from A to B), and every parent has zero or one child. So I've tacked on an optional to-one relationship from B to A to model the latter. I take it there's no way to convince EOF that these relationships are inverses, and get the convenience of updating both sides of the relationship at the same time. Where are the FKs? B hold's A's PK as an FK? Yes, and vice versa. Only difference is that B to A is optional (parent can have zero children), A to B is mandatory (child must have a parent). They both have the same PK? No. (Would this help?) -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 3:37 PM, Paul Hoadley wrote: On 23/07/2010, at 7:32 AM, Chuck Hill wrote: On Jul 22, 2010, at 2:56 PM, Paul Hoadley wrote: Sorry, I should have tried to be clearer. Basically, I've got a parent object B (which will always be created first). At some point, B may obtain at most one child A, but it doesn't necessarily. So every B has zero or one child As. Every A has exactly one parent B. Currently I have a mandatory to-one relationship from A to B (so A knows its parent directly). To avoid some fetching, I have added an optional to-one relationship from B to A, so B knows its child if it has one. I assume there's no way to make these relationships inverses from EOF's perspective, and that I will just need to be careful about always setting the B to A relationship on creation of an A. How did you model this? B hold's the PK of A as a FK? They each need a FK for the other, I think. Your relationships should be B.FKA == A.PK [1] A.FKB == B.PK [2] I think... Yeah, that's exactly what I've done. And [1] is optional (because not every B (parent) has an A (child)), and [2] is mandatory (because every A (child) has a B (parent)). But AFAICS, they're not being recognised as inverse relationships. Which is fine, because that's what my archive searching lead me to expect, but I wanted to, uh, go over it one more time. OK, now that we are all on the same page :-), see the JavaDocs for EOEnterpriseObject: inverseForRelationshipKey String inverseForRelationshipKey(String relationshipKey) Returns the name of the relationship pointing back to the receiver's class or entity from that named by relationshipKey, or null if there isn't one. With the access layer's EOEntity and EORelationship classes, for example, reciprocality is determined by the join attributes of the two EORelationships. EOCustomObject's implementation simply sends an inverseForRelationshipKey message to the receiver's EOClassDescription. You might override this method for reciprocal relationships that aren't defined using the same join attributes. For example, if a Member object has a relationship to CreditCard based on the card number, but a CreditCard has a relationship to Member based on the Member's primary key, both classes need to override this method. This is how Member might implement it. blockquote public String inverseForRelationshipKey(String relationshipKey){ if (relationshipKey.equals(creditCard)) return( member ); else return( super.inverseForRelationshipKey(relationshipKey) ); } /blockquote Chuck -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 3:39 PM, Paul Hoadley wrote: On 23/07/2010, at 7:42 AM, Chuck Hill wrote: How are you modeling these relationships? Originally, just this: a mandatory, to-one relationship from A to B. Consider it to be a parent (B) with optional child (A). Every child has a parent (hence the current mandatory to-one from A to B), and every parent has zero or one child. So I've tacked on an optional to-one relationship from B to A to model the latter. I take it there's no way to convince EOF that these relationships are inverses, and get the convenience of updating both sides of the relationship at the same time. Where are the FKs? B hold's A's PK as an FK? Yes, and vice versa. Only difference is that B to A is optional (parent can have zero children), A to B is mandatory (child must have a parent). They both have the same PK? No. (Would this help?) It would make it worse, I just wanted to understand the situation. -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 23/07/2010, at 8:25 AM, Chuck Hill wrote: OK, now that we are all on the same page :-), see the JavaDocs for EOEnterpriseObject: inverseForRelationshipKey String inverseForRelationshipKey(String relationshipKey) Returns the name of the relationship pointing back to the receiver's class or entity from that named by relationshipKey, or null if there isn't one. With the access layer's EOEntity and EORelationship classes, for example, reciprocality is determined by the join attributes of the two EORelationships. EOCustomObject's implementation simply sends an inverseForRelationshipKey message to the receiver's EOClassDescription. You might override this method for reciprocal relationships that aren't defined using the same join attributes. For example, if a Member object has a relationship to CreditCard based on the card number, but a CreditCard has a relationship to Member based on the Member's primary key, both classes need to override this method. This is how Member might implement it. blockquote public String inverseForRelationshipKey(String relationshipKey){ if (relationshipKey.equals(creditCard)) return( member ); else return( super.inverseForRelationshipKey(relationshipKey) ); } /blockquote Outstanding, thanks Chuck. Would you believe I got as far as the Javadocs for EOCustomObject.inverseForRelationshipKey(), and convinced myself that it didn't look like the sort of thing I should be overriding? If only I had clicked one more hyperlink... In any case, that works. Here are some follow-up questions: 1. It only works when I call a.addObjectToBothSidesOfRelationshipWithKey(b, b). (Don't get me wrong—that's great, an enormous improvement on what I was doing 5 minutes ago.) I've got Wonder's updateInverseRelationships property set true, but it doesn't seem to be automatically updating this relationship. (It is working as designed on others.) In fact, inverseForRelationshipKey() isn't even being called, unless I manually call addObjectToBothSidesOfRelationshipWithKey(). Is this expected? 2. Slightly more academic: why did everything I had read previously make me think this wouldn't work? I had also read that post from Chuck quoted in this thread by Ramsey: You could model it as a right-outer join and optional, but I think that EOF is still going to have a hissy fit when it does not find the row. Worth a try and a good bug to log with Apple if it does not work. Chuck, were you talking about something else there? (Presumably the answer is: I was mis-reading everything, and I didn't describe the problem clearly enough for Ramsey!) -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On Jul 22, 2010, at 5:22 PM, Paul Hoadley wrote: On 23/07/2010, at 8:25 AM, Chuck Hill wrote: OK, now that we are all on the same page :-), see the JavaDocs for EOEnterpriseObject: inverseForRelationshipKey String inverseForRelationshipKey(String relationshipKey) Returns the name of the relationship pointing back to the receiver's class or entity from that named by relationshipKey, or null if there isn't one. With the access layer's EOEntity and EORelationship classes, for example, reciprocality is determined by the join attributes of the two EORelationships. EOCustomObject's implementation simply sends an inverseForRelationshipKey message to the receiver's EOClassDescription. You might override this method for reciprocal relationships that aren't defined using the same join attributes. For example, if a Member object has a relationship to CreditCard based on the card number, but a CreditCard has a relationship to Member based on the Member's primary key, both classes need to override this method. This is how Member might implement it. blockquote public String inverseForRelationshipKey(String relationshipKey){ if (relationshipKey.equals(creditCard)) return( member ); else return( super.inverseForRelationshipKey(relationshipKey) ); } /blockquote Outstanding, thanks Chuck. Would you believe I got as far as the Javadocs for EOCustomObject.inverseForRelationshipKey(), and convinced myself that it didn't look like the sort of thing I should be overriding? Yes, I would. :-) If only I had clicked one more hyperlink... In any case, that works. Here are some follow-up questions: 1. It only works when I call a.addObjectToBothSidesOfRelationshipWithKey(b, b). (Don't get me wrong—that's great, an enormous improvement on what I was doing 5 minutes ago.) Did you add versions of this method to both entities? I've got Wonder's updateInverseRelationships property set true, but it doesn't seem to be automatically updating this relationship. (It is working as designed on others.) In fact, inverseForRelationshipKey() isn't even being called, unless I manually call addObjectToBothSidesOfRelationshipWithKey(). Is this expected? I don't know. 2. Slightly more academic: why did everything I had read previously make me think this wouldn't work? I had also read that post from Chuck quoted in this thread by Ramsey: You could model it as a right-outer join and optional, but I think that EOF is still going to have a hissy fit when it does not find the row. Worth a try and a good bug to log with Apple if it does not work. Chuck, were you talking about something else there? (Presumably the answer is: I was mis-reading everything, and I didn't describe the problem clearly enough for Ramsey!) I am pretty sure that was referring to a PK - PK relationship when the PK is propagated from the parent to the child. Chuck -- Chuck Hill Senior Consultant / VP Development Practical WebObjects - for developers who want to increase their overall knowledge of WebObjects or who are trying to solve specific problems. http://www.global-village.net/products/practical_webobjects smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Inverse to-one relationships
On 23/07/2010, at 10:20 AM, Chuck Hill wrote: 1. It only works when I call a.addObjectToBothSidesOfRelationshipWithKey(b, b). (Don't get me wrong—that's great, an enormous improvement on what I was doing 5 minutes ago.) Did you add versions of this method to both entities? Yes. I've got Wonder's updateInverseRelationships property set true, but it doesn't seem to be automatically updating this relationship. (It is working as designed on others.) In fact, inverseForRelationshipKey() isn't even being called, unless I manually call addObjectToBothSidesOfRelationshipWithKey(). Is this expected? I don't know. OK. I'll work around it. 2. Slightly more academic: why did everything I had read previously make me think this wouldn't work? I had also read that post from Chuck quoted in this thread by Ramsey: You could model it as a right-outer join and optional, but I think that EOF is still going to have a hissy fit when it does not find the row. Worth a try and a good bug to log with Apple if it does not work. Chuck, were you talking about something else there? (Presumably the answer is: I was mis-reading everything, and I didn't describe the problem clearly enough for Ramsey!) I am pretty sure that was referring to a PK - PK relationship when the PK is propagated from the parent to the child. Ah, OK. Well, this has all ended quite nicely. Thanks all. -- Paul. http://logicsquad.net/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Does the ERXStaticResourceRequestHandler work with those compressed jarred resources?
On Jul 21, 2010, at 11:12 PM, Mike Schrag wrote: Is anybody using 5.4? It is too bad that Wonder doesn't work so well with the jar frameworks; sometimes it does, sometimes it doesn't... fixes welcome :) ms Well the following line in my Application fixes this problem: registerRequestHandler( requestHandlerForKey(wr), _wr_ ) ; // use standard requestHandler for _wr_ key Hmmm, maybe a new Wonder property like er.PleaseIReallyReallyWantToUseNSBundleJars=true would be a catch-all for people who really really want to use NSBundle jars, and would make this and other future-to-be-made-changes to the Wonder framework. ;) The warning: WARN er.extensions.foundation.ERXFileUtilities - Can't get path when run as jar: ERNeutralLook - Properties must be a NSBundle jar problem as well; WONDER-461? ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com