"When you feel like a third wheel. Become a unicycle."
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg
I can see where this can be a turn-off, but in my mind it doesn't really seem like a bad thing. First, ActionForms are tied to the view, they are not meant to represent the model, even though we know in practice that they often do. With that in mind it makes sense that all properties are limited to Strings or booleans (or arrays of the same, or Objects composed of the same, or Collections composed of the same, etc...) since we are dealing with the request, which is only String values. In other words, you can almost look at ActionForms as an abstraction of the request. So that at least explains why they are limited to Strings and booleans.
On your second point, I personally don't like exposing the model directly to the JSP in such a manner that the model is modified directly from user input. This may be a hangup I've heldover from my Perl/CGI days where variables set directly from user input were considered "tainted" and had to be handled in a specific manner.
Only validation of user input should be handled through the Struts validator framework. Validation of business rules should still be handled by independant business objects. It's a problem of implementation when developers start having validator validate business rules and is yet another symptom of tier leakage that happens in any MVC framework if the developers aren't diligent.
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg
Thinking aloud and going back to something I mentioned earlier, I think it would be nice to see a framework with a mechanism similar to Perl's tainted mode, where all form/user input is considered "bad" until explicitly validated. Such a mechanism would require developers to properly validate prior to using that data. Sure it would add a bit of extra overhead on developers, but what we lose there we would more than make up for in security.
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg
Originally posted by louise rochford:
Hi Chris,
We use Struts & Spring together & they work fine.
Louise
Originally posted by kri shan:
Any open source tool is available for Spring(like StrutsConsole / MyEclipse / StrutsStudio for Struts)?
Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Neeraj Kumar<br /><a href="http://weblog.neeraj.name" target="_blank" rel="nofollow">http://weblog.neeraj.name</a>
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg
Originally posted by Ken Krebs:
A malicious user could potentially subvert your domain object by injecting parameters for fields or properties that do not exist on the form into the HTTP request. This possibility must be dealt with by the application developer. With Struts, the ActionForm acts as a guard by requiring explicit handling of each parameter/form field. With Spring, it can be handled by customizing the setup of the object that binds the parameters to the command object properties (and its nested properties).
Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
originally posted by Ken Krebs:
A malicious user could potentially subvert your domain object by injecting parameters for fields or properties that do not exist on the form into the HTTP request. This possibility must be dealt with by the application developer. With Struts, the ActionForm acts as a guard by requiring explicit handling of each parameter/form field. With Spring, it can be handled by customizing the setup of the object that binds the parameters to the command object properties (and its nested properties).
Does anyone know if this is being worked on?
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg
Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
kktec<br />SCJP, SCWCD, SCJD<br />"What we observe is not nature itself, but nature exposed to our method of questioning." - Werner Heisenberg