You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Bill Johnson <pe...@yahoo.com> on 2007/06/27 19:12:07 UTC
[s2] how to access page-scoped variables using
I was under the impression that the <s:property> tag
could access page-scoped variables, but it doesn't
seem to work for me.
I am using the displaytag library for creating tables
as shown here:
<display:table id="row" name="locations"
requestURI="/AdminLocation.action" defaultsort="2">
<display:column property="id" title="Id"
sortable="true" headerClass="sortable"/>
<display:column property="name" title="Name"
sortable="true" headerClass="sortable"/>
<display:column property="abbreviation"
title="Abbreviation" sortable="true"
headerClass="sortable"/>
<display:column title="">id: <s:property
value="row.id"/></display:column>
</display:table>
In the last column I am trying to reference the
page-scoped "row" object that is created by
displaytag. For some reason, my use of the
<s:property> tag isn't working:
<s:property value="row.id"/>
Any ideas?
I can access the page-scoped "row" object using the
following JSTL code:
<c:out value="${row.id}"/>
I'd prefer to stick to the Struts 2 tags and not have
to use JSTL if possible. I just want less libraries in
volved.
-Bill
____________________________________________________________________________________
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to avoid users changing values of hidden fields using the
URL?
Posted by Anton Pussep <an...@pussep.de>.
Thanks Jeff and Gorka for the competent (and fast) replies!
> if you are using Struts there is a transparent solution
> for that: HDIV
It sound very interesting. I will sure have a closer look at it. Thanks
for the great reference!
> The rule of web applications (heck...all multi-tiered apps) is to
> NEVER EVER trust information sent by the client.
Yes, I think it is very true and this will be my policy in future.
Many thanks,
Anton
Re: How to avoid users changing values of hidden fields using the URL?
Posted by Jeff Amiel <je...@gmail.com>.
On 6/28/07, Anton Pussep <an...@pussep.de> wrote:
> I cannot see a good solution for that. A permission system just to check
> if the user is allowed to see this ID seems to be quite an overhead to
> me. Whereas storing the ID in the session is not very handy and I have
> to take care that they are removed safely.
The rule of web applications (heck...all multi-tiered apps) is to
NEVER EVER trust information sent by the client.
If a user needs to have access to a particular ID, you need to check
on every request....or store his 'privileges' in the session and check
there. (session should timeout after period of inactivity and/or be
refreshed with new privilege data when it changes)
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
How to avoid users changing values of hidden fields using the URL?
Posted by Anton Pussep <an...@pussep.de>.
Hello,
I am not sure how to deal with the problem that a user can pass own
parameter values to the action class by changing the URL if there are
setters provided.
For example I often have a hidden field in a form that stores the ID and
the action class provides a getter and a setter. But the user can change
the ID by modifying the URL (just adding "?id=42"). The problem is that
this way he might access IDs that are not meant to be seen by him, they
might belong to other users.
I cannot see a good solution for that. A permission system just to check
if the user is allowed to see this ID seems to be quite an overhead to
me. Whereas storing the ID in the session is not very handy and I have
to take care that they are removed safely.
I am pretty sure that there is a good solution for that, I would be very
grateful for any hints!
Best,
Anton
Re: [s2] how to access page-scoped variables using
Posted by Dave Newton <ne...@yahoo.com>.
--- Jeromy Evans wrote:
> This page omits attr from the context map diagram:
> http://struts.apache.org/2.x/docs/ognl.html
Not any more (once it propagates :)
d.
____________________________________________________________________________________
Sick sense of humor? Visit Yahoo! TV's
Comedy with an Edge to see what's on, when.
http://tv.yahoo.com/collections/222
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [s2] how to access page-scoped variables using
Posted by Jeromy Evans <je...@blueskyminds.com.au>.
> It's not left out (of the wiki, but I left it out of
> my head, I guess :/
>
I know the feeling!
This page omits attr from the context map diagram:
http://struts.apache.org/2.x/docs/ognl.html
but the equivalent WW page includes it:
http://wiki.opensymphony.com/display/WW/OGNL
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [s2] how to access page-scoped variables using
Posted by Dave Newton <ne...@yahoo.com>.
Whoops!
What he said.
--- Jeromy Evans wrote:
> I'm unsure why this was deliberately left out of the
> duplicate pages of the S2 wiki, but it's still
> described at WW:
It's not left out (of the wiki, but I left it out of
my head, I guess :/
http://struts.apache.org/2.x/docs/ognl-basics.html
(The weird thing is that I actually used it with a
different custom tag, but apparently promptly forgot
:)
d.
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [s2] how to access page-scoped variables using
Posted by Jeromy Evans <je...@blueskyminds.com.au>.
You can access variables in the page context using the OGNL expression
#attr.propertyname, although I also prefer JSP EL.
I'm unsure why this was deliberately left out of the duplicate pages of
the S2 wiki, but it's still described at WW:
See #attr at the bottom of this page:
http://cwiki.apache.org/WW/ognl-basics.html
and here:
http://wiki.opensymphony.com/display/WW/OGNL
It still worked the last time I checked.
Dave Newton wrote:
> --- Bill Johnson <pe...@yahoo.com> wrote:
>
>> I was under the impression that the <s:property> tag
>> could access page-scoped variables, but it doesn't
>> seem to work for me.
>>
>
> AFAIK <s:property.../> access the OGNL stack, not
> scoped variables.
>
> Session and request are put on the stack, but not
> page. Bear in mind if you're running on a JSP 2.0
> container you can just use JSP EL; it's in the
> container anyway.
>
> d.
>
>
>
>
> ____________________________________________________________________________________
> Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
> http://autos.yahoo.com/carfinder/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [s2] how to access page-scoped variables using
Posted by Dave Newton <ne...@yahoo.com>.
--- Bill Johnson <pe...@yahoo.com> wrote:
> I was under the impression that the <s:property> tag
> could access page-scoped variables, but it doesn't
> seem to work for me.
AFAIK <s:property.../> access the OGNL stack, not
scoped variables.
Session and request are put on the stack, but not
page. Bear in mind if you're running on a JSP 2.0
container you can just use JSP EL; it's in the
container anyway.
d.
____________________________________________________________________________________
Choose the right car based on your needs. Check out Yahoo! Autos new Car Finder tool.
http://autos.yahoo.com/carfinder/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org