You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Si...@doi.vic.gov.au on 2003/02/26 07:54:07 UTC
problem with type validation
Hello,
It seems to us that there is a serious flaw in the struts validation - in
the RequestUtil class, the BeanUtils.populate method is called. In our
testing, this allows an erroneous value to be replaced with a default value
- for example a form class which will set a Short, and the form value
entered is text, this will result in a value of 0. This all happens when
the form bean is populated, before the server side validate() is called, or
anything else can be intercepted. No exception occurs, so no errors can be
generated. I was wondering if there is any idea about using something other
than populate() - or making sure that the BeanUtils Converters do not use
the constructors which make them enter default values....
has anyone else had this problem, it seems to mean struts is only good for
String inputs, otherwise any type conversion is not assured? Am I missing
something, is there a parameter somewhere to tell struts to do typesafe
conversions?
Regards,
Simon
**********************************************************************
Any personal or sensitive information contained in this email and
attachments must be handled in accordance with the Victorian Information
Privacy Act 2000, the Health Records Act 2001 or the Privacy Act 1988
(Commonwealth), as applicable.
This email, including all attachments, is confidential. If you are not the
intended recipient, you must not disclose, distribute, copy or use the
information contained in this email or attachments. Any confidentiality or
privilege is not waived or lost because this email has been sent to you in
error. If you have received it in error, please let us know by reply
email, delete it from your system and destroy any copies.
**********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org
Re: problem with type validation
Posted by Mohan Kishore <mo...@yahoo.com>.
Theres an 'major' open bug regarding failure of 'required' Integer fields. I
think this discussion kind of closes it...
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17156
regards,
Mohan.
--- "Craig R. McClanahan" <cr...@apache.org> wrote:
>
>
> On Wed, 26 Feb 2003 Simon.Rosin@doi.vic.gov.au wrote:
>
> > Date: Wed, 26 Feb 2003 17:54:07 +1100
> > From: Simon.Rosin@doi.vic.gov.au
> > Reply-To: Struts Developers List <st...@jakarta.apache.org>
> > To: struts-dev@jakarta.apache.org
> > Subject: problem with type validation
> >
> > Hello,
> >
> > It seems to us that there is a serious flaw in the struts validation - in
> > the RequestUtil class, the BeanUtils.populate method is called. In our
> > testing, this allows an erroneous value to be replaced with a default value
> > - for example a form class which will set a Short, and the form value
> > entered is text, this will result in a value of 0. This all happens when
> > the form bean is populated, before the server side validate() is called, or
> > anything else can be intercepted. No exception occurs, so no errors can be
> > generated. I was wondering if there is any idea about using something other
> > than populate() - or making sure that the BeanUtils Converters do not use
> > the constructors which make them enter default values....
> >
> > has anyone else had this problem, it seems to mean struts is only good for
> > String inputs, otherwise any type conversion is not assured? Am I missing
> > something, is there a parameter somewhere to tell struts to do typesafe
> > conversions?
> >
>
> As a general rule, if you are using non-String fields in your form bean,
> you are making a *huge* mistake.
>
> Form bean fields that, when you display them on the page, are rendered as
> text input fields should *always* be stored (in the form bean) as a
> String. When you get to your Action, after validations have been
> completed (so you know that the String->Numeric conversion will succeed),
> then you can use BeanUtils.copyProperties() to copy the properties from
> the form bean to some appropriate value object, with automatic conversion.
>
> As an extra added bonus, a user who types "1a3" instead of "123" into a
> text field will get the behavior they expect from any self-respecting GUI
> app -- the field will be redisplayed with exactly what they typed, so that
> they can fix it. Using a non-String field in your form bean makes that
> basically impossible.
>
> Form beans are part of the view tier in an MVC architecture, not part of
> the model tier. Trying to pretend otherwise just distorts the overall
> design and causes you nothing but grief.
>
> > Regards,
> > Simon
>
> Craig McClanahan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-dev-help@jakarta.apache.org
>
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org
Re: problem with type validation
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 26 Feb 2003 Simon.Rosin@doi.vic.gov.au wrote:
> Date: Wed, 26 Feb 2003 17:54:07 +1100
> From: Simon.Rosin@doi.vic.gov.au
> Reply-To: Struts Developers List <st...@jakarta.apache.org>
> To: struts-dev@jakarta.apache.org
> Subject: problem with type validation
>
> Hello,
>
> It seems to us that there is a serious flaw in the struts validation - in
> the RequestUtil class, the BeanUtils.populate method is called. In our
> testing, this allows an erroneous value to be replaced with a default value
> - for example a form class which will set a Short, and the form value
> entered is text, this will result in a value of 0. This all happens when
> the form bean is populated, before the server side validate() is called, or
> anything else can be intercepted. No exception occurs, so no errors can be
> generated. I was wondering if there is any idea about using something other
> than populate() - or making sure that the BeanUtils Converters do not use
> the constructors which make them enter default values....
>
> has anyone else had this problem, it seems to mean struts is only good for
> String inputs, otherwise any type conversion is not assured? Am I missing
> something, is there a parameter somewhere to tell struts to do typesafe
> conversions?
>
As a general rule, if you are using non-String fields in your form bean,
you are making a *huge* mistake.
Form bean fields that, when you display them on the page, are rendered as
text input fields should *always* be stored (in the form bean) as a
String. When you get to your Action, after validations have been
completed (so you know that the String->Numeric conversion will succeed),
then you can use BeanUtils.copyProperties() to copy the properties from
the form bean to some appropriate value object, with automatic conversion.
As an extra added bonus, a user who types "1a3" instead of "123" into a
text field will get the behavior they expect from any self-respecting GUI
app -- the field will be redisplayed with exactly what they typed, so that
they can fix it. Using a non-String field in your form bean makes that
basically impossible.
Form beans are part of the view tier in an MVC architecture, not part of
the model tier. Trying to pretend otherwise just distorts the overall
design and causes you nothing but grief.
> Regards,
> Simon
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org