> BTW: Is the client side state encoded or encrypted somehow in Tapestry 4.0? > I wouldn't like users to be able to mess around too easily in that > state. As long as you could only do this with normal form fields or > hidden fields one could mess around using plain form parameters or the > html page itself, but if "all" state is client-side one should try to > crypt things or people could basically stick anything in our apps. >
All client state for a single page is organized into a single object that tracks triads of componentIdPath, propertyName and value. These triads are serialized to an ObjectOutputStream and gzip compressed (*), then MIME encoded. Only a very dedicated hacker would be able to spoof that information in the URLs ... but because of HiveMind you could create your own implementation that added some form of encoding. (*) compression is optional; it creates parallel binary streams, one using compression, the other not, and uses the shorter of the two. You actually have to encode a large amount of data before compression becomes a win, because of the overhead. -- Howard M. Lewis Ship Independent J2EE / Open-Source Java Consultant Creator, Jakarta Tapestry Creator, Jakarta HiveMind Professional Tapestry training, mentoring, support and project work. http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
