I am building an application using Struts 2 and Spring. I have accessors in my Action class autowired to Spring managed objects: either session scope (like the current user) or application (like some configuration details). I use these objects in my Action methods themselves, but I also want them available in the view, so I put getters for them in the action class.
Since I also use the params interceptor, this means that a malicious user could modify these objects using a very trivial
I thought if I used ModelDriven it would help: the params would only get mapped into the model object, not the action. But I guess I misunderstood how the value stack works. I could also remove my getConfigObj() method, but then how would I expose the object to the view?
I would appreciate any suggestions. [ December 17, 2008: Message edited by: Dan Dormont ]
If they're in scope you don't need to expose them via accessors; they're available under the #session and #application OGNL vars (explicit) or #attr (searches scopes).
You can also disallow parameters from requests via the "params" interceptor per-action or per-package. [ December 17, 2008: Message edited by: David Newton ]
Joined: Dec 17, 2008
Thanks for the quick response.
Originally posted by David Newton: [QB]If they're in scope you don't need to expose them via accessors; they're available under the #session and #application OGNL vars (explicit) or #attr (searches scopes).
True, I could do that. But I'm planning to use JSP EL where I can (to cut down on tags and keep the code cleaner) and as I understood the docs # isn't supported there. Also the Spring-managed objects aren't in those scopes per se as I understand it, so I'd have to write code to add them in there, which seems clunky.
You can also disallow parameters from requests via the "params" interceptor per-action or per-package.
I'm a little nervous about the security implications on that one after reading this thread: thread especially since I may have some of these objects that are common and others that are action- or package-specific so I'd have to be very careful.
That aside, Spring beans scoped in web scopes *are* in the actual scope (at least session-scoped beans, which is the only webapp scope I've used Spring for).
For example, if you define a user bean in Spring as a session scope bean it'll be in session scope whether or not it's used in a Struts action--it works no matter what framework you're using. Obviously scoped beans are available via JSP EL as well.
Bear in mind also that S2 value-stack based objects are also available via JSP EL: S2 has a request wrapper that will look for beans first on the value stack, and if not found, will then use the normal scope-based attribute lookup.
Joined: Dec 17, 2008
I experimented a little more and discovered that as you said session-scope beans automatically show up in the action context and can be queried in the view. No need for the action class itself to expose them. Great!
So my question now is simply how to do the same with (certain) singleton-scope beans created by Spring. [ December 18, 2008: Message edited by: Dan Dormont ]