I found a way to address the security issues when the navigation path is to and from the same JSP . I use a converter where getAsString encrypts and encodes the id on the way out, getAsObject decodes and decrypts the string coming in. This however can't be used when navigating from one view to the next.
If anyone has ideas on the first problem, do not be shy. ---- Original message ---- >Date: Fri, 26 Aug 2005 15:31:52 -0400 >From: Mike Kienenberger <[EMAIL PROTECTED]> >Subject: Re: Dealing with links/buttons to fire off an action? confusion on how to set this up >To: MyFaces Discussion <[email protected]> > >Nothing comes to mind, but allowing the end-user to specify the target >record by key (generally a database primary key) may cause security >issues. You'll have to validate the suitability of key provided when >used. > >On 8/26/05, Dennis Byrne <[EMAIL PROTECTED]> wrote: >> Do you know of any way to do this if the underlying DataModel >> is in a property of a request scoped bean and the you >> couldn't use preserveDataModel="true", t:saveState, or any >> other things beyond the spec itself ? I am in such a >> situation and the only solution I see at this time is using >> f:param in the JSP and server side manual request parsing. >> >> ---- Original message ---- >> >Date: Fri, 26 Aug 2005 15:19:17 -0400 >> >From: Mike Kienenberger <[EMAIL PROTECTED]> >> >Subject: Re: Dealing with links/buttons to fire off an >> action? confusion on how to set this up >> >To: MyFaces Discussion <[email protected]> >> > >> >You can also use dataTable.getRowData(), provided your model >> data is >> >consistent, and then you don't need to create or pass a >> parameter. >> > >> > public void editRecord(ActionEvent event) >> > { >> > dataStore.editRecord(dataTable.getRowData()); >> > } >> > >> >On 8/26/05, Patel, Hitesh (Exchange) <[EMAIL PROTECTED]> >> wrote: >> >> >> >> >> >> >> >> You can pass the parameter as you have done and get the >> value of the >> >> parameter as follows >> >> >> >> >> >> >> >> FacesContext.getCurrentInstance().getExternalContext >> ().getRequestParameterMap().get("empID"); >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> >> >> From: Rick Reumann [mailto:[EMAIL PROTECTED] >> >> Sent: Friday, August 26, 2005 2:49 PM >> >> To: MyFaces Discussion >> >> Subject: Dealing with links/buttons to fire off an >> action? confusion on how >> >> to set this up >> >> >> >> >> >> >> >> >> >> I was wondering how to d something that I would think >> would be a common >> >> situation, yet I'm not finding any examples at the >> moment... >> >> >> >> scenario:... list of employees. You want to be able to >> click on one of the >> >> employees and go to an "editEmployee" backing bean method >> that would >> >> retrieve the employee based on the id of the employee in >> the list. >> >> >> >> I'm used to doing this with a simple link John Doe <a >> href="/myApp >> >> /setUpForEdit?employeeID=4355">Edit</a> >> >> >> >> With JSF I'm not so sure about how to do this. My JSF >> book mentions briefly >> >> about passing in f:param in commandLink but doesn't show >> how to retrieve >> >> this param. >> >> >> >> As a side note I find this very interesting, I was >> testing by using a >> >> DataTable and providing a commandLink next to each >> employee for each row... >> >> >> >> <h:commandLink value="Edit" action="# >> {employee.editAction}"> >> >> <f:param name="empID" value="#{emp.id}"/> >> >> </h:commandLink> >> >> >> >> One of the odd/interesting things is that when I cycle >> through and print >> >> out the Request parameters I noticed that I'm getting a >> single parameter >> >> (assuming a map) that actually has the Employee info that >> I'm concerned with >> >> (2nd one): >> >> >> >> 8/26/05 02:28:55 PM DEBUG net.reumann.Employee >> editAction - param = >> >> [EMAIL PROTECTED] >> >> 08/26/05 02:28:55 PM DEBUG net.reumann.Employee >> editAction - param = id: >> >> 3, name: Rachel, age: 26 >> >> 08/26/05 02:28:55 PM DEBUG net.reumann.Employee >> editAction - param = >> >> /employees.jsp >> >> >> >> That second enry *does* correspond to the button I >> clicked but not sure how >> >> I'm supposed to get a handle to the id (actually I'm not >> even sure how the >> >> heck that got into the request based on the commandLink I >> set up)? >> >> >> >> Also the f:param "empID" is *not* seen as a request >> parameter when I loop >> >> over them. >> >> >> >> What is the typical procedure for providing a link or >> button to click on >> >> that isn't part of a form but should fire off an action >> method that will >> >> look up something based on parameter(s) ? >> >> >> >> >> >> >> ************************************************************** >> ******** >> >> Please be aware that, notwithstanding the fact that the >> person sending >> >> this communication has an address in Bear Stearns' e- mail >> system, this >> >> person is not an employee, agent or representative of Bear >> Stearns. >> >> Accordingly, this person has no power or authority to >> represent, make >> >> any recommendation, solicitation, offer or statements or >> disclose >> >> information on behalf of or in any way bind Bear Stearns >> or any of its >> >> affiliates. >> >> >> ************************************************************** >> ******** >> >> >> >> >> >> >> >> >> Dennis Byrne >> Dennis Byrne
