struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Husted <hus...@apache.org>
Subject Re: LazyActionForm
Date Thu, 01 Jul 2004 15:25:16 GMT
Since the LazyActionForm <http://www.niallp.pwp.blueyonder.co.uk/> can be validated like
any other ActionForm, I don't see the basis for a technical objection. In the documentation,
we would want to *strongly* recommend using the validated version, and remind people it is
a *bad* practice to pass an ActionForm to the model. They should populate another object from
the validated ActionForm and then pass that along (which provides the second layer of firewall).
 IMHO, the LazyActionForm may encourage better practices, since people will not be so tempted
to use ActionForms as model objects, if they don't have to define things twice (or at least
seem to). 

Personally, I think validation and population should be strongly coupled, as it is with the
FormProc component (formproc.sf.net). We now treat them as separate steps, but one begs the
other. What's missing is an "optional" validator that would let us specify a field that may
or may not be present. Then, we could populate only the properties that are specified by the
validator form.  

So, if we did want to make the LazyValidatorForm secure, one solution would be to add an "optional"
validator. Only the fields specified by a required or optional validator would be accepted,
others would be ignored (as they are now). People would not have to specify the fields in
the struts-config *and* in the validations.xml, but they would still have to specify them
all in validations.xml.

-Ted.

On Wed, 30 Jun 2004 04:35:52 +0100, Niall Pemberton wrote:
> I'm happy to put it into Struts but other committers may object on
> the basis that one of the ActionForm's functions is to act as a
> 'firewall' between the Request and the Action - the
> 'LazyActionForm' circumvents this with all the request parameters
> being populated into it. In my Actions I only take out of them what
> I expect to be there - if you do that its not an issue, but anyone
> who just passed on whatevers in there straight on to their model
> would leave themselves open to attack.
>
> Also the LazyDynaBean/LazyDynaClass objects that the "Lazy"
> ActionForm depends on are more suited to the beanutils project -
> maybe the first step would be to submit these classes to beanutils
> and see if they are happy to accept them.
>
> Niall
>
>
> ----- Original Message -----
> From: "Matthias Wessendorf" <mailings@matthias-wessendorf.de> To:
> <dev@struts.apache.org> Sent: Tuesday, June 29, 2004 2:22 PM
> Subject: LazyActionForm
>
>
>> Hello,
>>
>>
>> are there plans to integrate LazyActionForm form
>> Nial Pemberton in to struts (or in contrib) ?
>>
>>
>> since nial is a commiter and it is usefull
>> to have that functionality *directly* in framework...
>>
>>
>> regards,
>> Matthias
>
>
> --------------------------------------------------------------------
> - To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> additional commands, e-mail: dev-help@struts.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message