I guess you could use this badly and create such a hole - but the problem wouldn't be with LazyDynaBean, but with how you are using it.
If you have an action that doesn't validate whats in the ActionForm and takes whatever is in there and updates your model then you've got a problem. If I had an "update customer name" action, then my action will only take the customer name from the ActionForm and update the model - if some smart hack has also populated a "creditLimit" property - so what, I don't do anything with it in my action, so there is no harm done. An alternative to my LazyDynaBeans is the "formDef" stuff that Hubert Rabago has done - this takes a different approach to the same kind of issues I was trying to address with my Lazy stuff. He basically has combined and extended form definitions from struts-config.xml and validation.xml and probably wouldn't have the same kind of issue you are raising: FormDef pages and downloads: http://www.rabago.net/struts/formdef An introduction manual is also available at http://www.rabago.net/struts/formdef/manual.htm Niall ----- Original Message ----- From: "Erez Efrati" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 3:25 PM Subject: RE: Populating form Elements from another object. It looks cool, still there´s a problem of being open to small nasty attacks. Since the set() method adds fields dynamically, it would do it also upon properties population. So, when a request comes loaded with fields that never should have been sent, the lazyDynaBean would add them, thus creating a small hole of security. What do you think? Erez -----Original Message----- From: Niall Pemberton [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 5:20 PM To: Struts Users Mailing List Subject: Re: Populating form Elements from another object. Thats it exactly. I have updated my web page with examples for LazyBean and LazyValidatorActionForm processing: http://www.niallp.pwp.blueyonder.co.uk Niall ----- Original Message ----- From: "Mark Lowe" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, March 10, 2004 8:16 AM Subject: Re: Populating form Elements from another object. > Again I haven't used Niall's classes but I'd hazard a guess that as > they extend DynaBean that you use the map like interface for accessing > these properties. In fact I imagine you can cast them as a DynaBean > like you can with the DynaActionForms > > DynaBean myForm = (DynaBean) form; > String foo = myForm.get("foo").toString(); > > > > On 9 Mar 2004, at 20:27, Metin Carl wrote: > > > This is really good. An example of processing this form in Action > > classes > > would be very useful too as the way Shanmugam needs. > > > > > > "Niall Pemberton" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > >> Yup, thats it - plus dynamic="true" > >> > >> <form-bean name="fooForm1" > >> type="lib.framework.struts.LazyValidatorActionForm" dynamic="true" /> > >> <form-bean name="fooForm2" > >> type="lib.framework.struts.LazyValidatorActionForm" dynamic="true" /> > >> <form-bean name="fooForm3" > >> type="lib.framework.struts.LazyValidatorActionForm" dynamic="true" /> > >> <form-bean name="fooForm4" > >> type="lib.framework.struts.LazyValidatorActionForm" dynamic="true" /> > >> > >> Oh, I noticed an error in LazyValidatorForm, its declared as > >> "abstract" - > >> which it shouldn't be - I don't use it directly, I use > >> LazyValidatorActionForm which extends it. > >> > >> Niall > >> > >> > >> ----- Original Message ----- > >> From: "Mark Lowe" <[EMAIL PROTECTED]> > >> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > >> Sent: Tuesday, March 09, 2004 8:53 AM > >> Subject: Re: Populating form Elements from another object. > >> > >> > >>> I haven't seen the code but if what i understand of what Niall has > >>> been > >>> saying you'd use them instead of DynaActionForm. > >>> > >>> <form-bean name="fooForm" type="com.ilovesparrows.struts.NiallsForm" > >>> /> > >>> > >>> of course you'll need to call the package and class name to something > >>> appropriate. > >>> > >>> On 9 Mar 2004, at 09:47, shanmugampl wrote: > >>> > >>>> Hi, > >>>> > >>>> I saw your code. I have one doubt. How do you plugin your own > >>>> DynaBean implementation into the struts framework. > >>>> > >>>> Shanmugam PL > >>>> > >>>> Niall Pemberton wrote: > >>>> > >>>>> I wrote these.... > >>>>> > >>>>> http://www.niallp.pwp.blueyonder.co.uk > >>>>> > >>>>> Niall > >>>>> > >>>>> ----- Original Message ----- From: "shanmugampl" > >>>>> <[EMAIL PROTECTED]> > >>>>> To: <[EMAIL PROTECTED]> > >>>>> Sent: Wednesday, February 25, 2004 7:00 AM > >>>>> Subject: Populating form Elements from another object. > >>>>> > >>>>> > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I have a requirement where i need to populate the values of a > >>>>>> form from another object, and then again transform the contents of > >>>>>> the form back to the object once the form is submitted. i.e Say, > >>>>>> when i click a button, i do some functionalities and have a > >>>>>> Properties object as an output. The keys in the Properties object > >>>>>> are not static. These values need to be shown in a form. As the > >>>>>> keys > >>>>>> retrieved for the current operation is not known, i cant define > >>>>>> the > >>>>>> values in the struts-config.xml for the dynaactionclass. > >>>>>> > >>>>>> Is it possible to extend the dynaactionclass, and during its > >>>>>> init or something, iterate the properties object and populate the > >>>>>> form. Are there any other way of doing it. > >>>>>> > >>>>>> Thanks > >>>>>> Shanmugam PL > >>>>>> > >>>>>> > >>> > >>>> -------------------------------------------------------------------- > >>>> - > >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>>> For additional commands, e-mail: > >>>>>> [EMAIL PROTECTED] > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------- > >>>>> -- > >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>> For additional commands, e-mail: > >>>>> [EMAIL PROTECTED] > >>>>> > >>>>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
