File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How are Struts action forms stored?

 
Arun
Ranch Hand
Posts: 40
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I have an action mapping that defines a form with name="abcForm" and says scope="session". I would like to know how struts saves this form in the session.

I assume it is stored as an attribute. Is it stored under some simple key like the form name? If so, then if I do a session.setAttribute("abcForm", someObj) will that overwrite the form bean that struts has stored in the session??

I am trying to know the answer to see if a user could accidentally overwirte the struts action form bean.

Thanks.
 
Pranav Sharma
Ranch Hand
Posts: 258
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
From what I know Struts adds it as an attribute
the attribute name comes from the ActionMapping. Struts uses the form bean "name" attribute you add to the action-mapping in the config file.

To get the name you could get it in action by:
mapping.getAttribute()
 
Jason Menard
Sheriff
Posts: 6450
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"linoops",

Welcome to JavaRanch. We don't have many rules here, but we do have a naming policy which we try to strictly enforce. Please re-read this document and edit your display name in order to comply. Thanks in advance, and we look forward to seeing you around the Ranch.
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mannu is correct.

I believe that when Struts check the parameter for a form it checks to see if it is of the correct ActionForm type. If it isn't the correct type, it makes the correct ActionForm and sets the attribute.

You should have no worries of a user spoofing parameters or attributes.
 
Arun
Ranch Hand
Posts: 40
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for your replies. I am not concerned about the user spoofing attributes, but wondering if a programmer could mess the application by using the form name for some attribute he wants to store in session scope.

For ex.. say i have an action that uses a form name 'abcForm' and struts works with this form and sets data into the form and stores it in the session as an attribtue under the name 'abcForm'.
Say some developer in some other part of the application does a session.setAttribute("abcForm","Just a string object"). If this gets invoked while my action is working on the struts form could that lead to a potential conflict? Does struts store action forms under some key like struts.abcForm instead just abcForm to avoid such a situation??

Regards.
 
Jason Menard
Sheriff
Posts: 6450
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Arun",

Thanks for your attempt to comply with our naming policy. Unfortunately your name is still not in compliance. Specifically, you must have a valid first name and a valid last name, and neither of these names may be obviously fictitious. If you have any questions on our naming policy or don't understand something you read in the document I pointed you towards previously, please feel free to bring up the issue in the JavaRanch forum. Thanks again.
 
Marc Peabody
pie sneak
Sheriff
Posts: 4727
Mac Ruby VI Editor
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Arun:
Thank you for your replies. I am not concerned about the user spoofing attributes, but wondering if a programmer could mess the application by using the form name for some attribute he wants to store in session scope.

For ex.. say i have an action that uses a form name 'abcForm' and struts works with this form and sets data into the form and stores it in the session as an attribtue under the name 'abcForm'.
Say some developer in some other part of the application does a session.setAttribute("abcForm","Just a string object"). If this gets invoked while my action is working on the struts form could that lead to a potential conflict? Does struts store action forms under some key like struts.abcForm instead just abcForm to avoid such a situation??

Regards.


A programmer could "mess it up" but such a mistake would be blaringly obvious. It should not be of concern, especially if the names follow a unique convention in the struts-config, such as ended all in "Form" (ie employeeForm, accountForm).

But now that you mention it, I'd like to show you a simple trick I like to use for other purposes:

I have the above code in a parent ActionForm that all other ActionForms extend. This automatically places every ActionForm under the request attribute of "form" in addition to its struts-config name. I like this because it makes my JSPs and especially their JSTL tags easier to write, read, and maintain.

Notice that I made a new hook method called doReset() to be used for the scenarios that I would previously call reset().
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic