On 06/06/2010 09:50 AM, Will Hartung wrote:
>
Hi.
>
> The population from the http parameters is actually used by the
> validation system. And by parameters, it really means the request.
> Specifically, say you have a field bound to an Integer, and you put
> "Fred" in the field. The Binding will fail ("Fred" is not a valid
> integer), and then send you back to the JSP. The JSP will see the
> field in the request, and repopulate it with "Fred". This is a great
> feature. As for spoofing via a fake link, that's what validation is
> for.Think of the following scenario: There is a form for editing a certain entity stored in a database. The form contains a check box "delete this entity" with the name delete. If the check box is checked, the entity will be deleted when the user hits the save button. Now a malicious user sends a link to a well meaning user to the form "Could you have a look at this entity and change property x, it contains a spelling mistake: http://example.com/edit.action?delete=1. Now when the well meaning user clicks that link the delete check box will be checked by default and if the user does not pay that much attention, the entity will be gone forever and everyone will be very very startled who deleted it... Nobody knows, maybe not even the well intentioned user. The simplest fix to this problem that I can think of is to only use http parameters if the request was an http POST instead of a GET. This would not do any harm to the validation systems, because forms are usually send by POST anyway and it is waaaay harder to trick well intentioned users into making a certain POST request. Or what is your opinion on that? > > The second part is that, yes, it's bound to the Action Bean in the > form. But, again, this really isn't a problem. > > Stripes advocates the "Action first" model for applications. > Basically, you never see "page.jsp" in your URL, only "Thing.action", > and the Action bean forwards to the JSP. So, there are few use case > where the form actually mismatches the action bean. I do like the "Action first" model and I placed all my JSP files in the WEB-INF directory to make them unavailable for direct calls. But I do have more than one action bean. In this case there are two action beans involved: The FormActionBean and the SaveActionBean. The FormActionBean loads an entity from the database if an id has been supplied (to prepopulate the form) and just displays the form. But the form does not submit to the FormActionBean. Instead the data is send to the SaveActionBean (<stripes:form beanclass="...SaveActionBean">...). I did this because at some point I got a little confused within my own code with all the @Validate(on={"foo","bar","foobar"}). To get rid of all the variable declarations that I don't need in certain methods I started putting every method in a separate action bean. Unfortunately I discovered that this breaks the automatic population of the form. Would you consider that bad practice what I am doing and advise me to always put the method that displays the form into the same ActionBean as the method that is executed on submit? > > Regards, > > Will Hartung Thanks, Thomas ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
