Serializing the ValueStack on a redirect

[Paul Benedict <pb...@apache.org>]

I don't think this feature exists but it does in Tapestry (and
probably .NET). It should be possible to serialize the ValueStack on a
redirect, pass it as a 64-bit encoded key, and deserialize it. This
would facilitate greater Redirect-After-Post patterns that require
data points to still be active.

Thoughts?

Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

RE: Serializing the ValueStack on a redirect

[Martin Gainty <mg...@hotmail.com>]

Good Morning Phil

on a redirect the existing session is discarded and a new session is established by client browser so how would reading the previously serialised (VS parameters)
help with the new Session

Thanks,
Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.


> From: philip.luppens@gmail.com
> Date: Sun, 5 Aug 2012 08:42:00 +0200
> Subject: Re: Serializing the ValueStack on a redirect
> To: dev@struts.apache.org
> 
> On Sun, Aug 5, 2012 at 7:34 AM, Paul Benedict <pb...@apache.org> wrote:
> 
> > I don't think this feature exists but it does in Tapestry (and
> > probably .NET). It should be possible to serialize the ValueStack on a
> > redirect, pass it as a 64-bit encoded key, and deserialize it. This
> > would facilitate greater Redirect-After-Post patterns that require
> > data points to still be active.
> >
> > Thoughts?
> >
> 
> I find it an intriguing idea, but wouldn't it imply a serialisation of the
> entire object graph that is attached to your root object and hence a
> security risk by exposing certain variables?
> 
> Isn't this something that is already possible with the 'flash' scope? Or
> does this approach offer certain benefits?
> 
> Cheers,
> 
> Phil
> 
> 
> >
> > Paul
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
> 
> 
> -- 
> "We cannot change the cards we are dealt, just how we play the hand." -
> Randy Pausch
 		 	   		  

Re: Serializing the ValueStack on a redirect

[Lukasz Lenart <lu...@apache.org>]

2012/8/6 Philip Luppens <ph...@gmail.com>:
> Just a quick remark: wouldn't a specialised object be a better approach for
> this, rather than the entire ValueStack? It seems to me this can get pretty
> huge and therefore impact performance/scaling more than the session-based
> approach. Having a custom object serialised allows for better control, and
> I doubt you'd need everything kept in the ValueStack on your
> Redirect-After-Post (I might be wrong about that one, but we've been either
> storing some minimal info in the flash scope, or adding it as a request
> parameter, and it seemed to be 'good enough').

Yeah, it would be better and thus could also solve other problems like
storing entire VS on Wait-and-Execute or Token handling. Will add a
task for that


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Serializing the ValueStack on a redirect

[Philip Luppens <ph...@gmail.com>]

On Sun, Aug 5, 2012 at 5:17 PM, Paul Benedict <pb...@apache.org> wrote:

> Philip,
>
> On Sun, Aug 5, 2012 at 1:42 AM, Philip Luppens <ph...@gmail.com>
> wrote:
> > On Sun, Aug 5, 2012 at 7:34 AM, Paul Benedict <pb...@apache.org>
> wrote:
> >
> >> I don't think this feature exists but it does in Tapestry (and
> >> probably .NET). It should be possible to serialize the ValueStack on a
> >> redirect, pass it as a 64-bit encoded key, and deserialize it. This
> >> would facilitate greater Redirect-After-Post patterns that require
> >> data points to still be active.
> >>
> >> Thoughts?
> >>
> >
> > I find it an intriguing idea, but wouldn't it imply a serialisation of
> the
> > entire object graph that is attached to your root object and hence a
> > security risk by exposing certain variables?
>
> Yes, you would have to serialize what's in the ValueStack. This would
> be a given. However, a decent programmer should know what he is about
> to do by enabling this kind of feature -- probably via a new
> interceptor. With regards to security, the contents definitely require
> encryption. Base64 encoding isn't stealth.


> > Isn't this something that is already possible with the 'flash' scope? Or
> > does this approach offer certain benefits?
> >
> > Cheers,
> >
> > Phil
>
> Yes, it is a type of flash scope. The only difference is that it's not
> dependent on a user's session.
> https://issues.apache.org/jira/browse/WW-2635


Just a quick remark: wouldn't a specialised object be a better approach for
this, rather than the entire ValueStack? It seems to me this can get pretty
huge and therefore impact performance/scaling more than the session-based
approach. Having a custom object serialised allows for better control, and
I doubt you'd need everything kept in the ValueStack on your
Redirect-After-Post (I might be wrong about that one, but we've been either
storing some minimal info in the flash scope, or adding it as a request
parameter, and it seemed to be 'good enough').

My 2 cents,

Phil


>
>
> Paul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>


-- 
"We cannot change the cards we are dealt, just how we play the hand." -
Randy Pausch

Re: Serializing the ValueStack on a redirect

[Paul Benedict <pb...@apache.org>]

Philip,

On Sun, Aug 5, 2012 at 1:42 AM, Philip Luppens <ph...@gmail.com> wrote:
> On Sun, Aug 5, 2012 at 7:34 AM, Paul Benedict <pb...@apache.org> wrote:
>
>> I don't think this feature exists but it does in Tapestry (and
>> probably .NET). It should be possible to serialize the ValueStack on a
>> redirect, pass it as a 64-bit encoded key, and deserialize it. This
>> would facilitate greater Redirect-After-Post patterns that require
>> data points to still be active.
>>
>> Thoughts?
>>
>
> I find it an intriguing idea, but wouldn't it imply a serialisation of the
> entire object graph that is attached to your root object and hence a
> security risk by exposing certain variables?

Yes, you would have to serialize what's in the ValueStack. This would
be a given. However, a decent programmer should know what he is about
to do by enabling this kind of feature -- probably via a new
interceptor. With regards to security, the contents definitely require
encryption. Base64 encoding isn't stealth.

> Isn't this something that is already possible with the 'flash' scope? Or
> does this approach offer certain benefits?
>
> Cheers,
>
> Phil

Yes, it is a type of flash scope. The only difference is that it's not
dependent on a user's session.
https://issues.apache.org/jira/browse/WW-2635

Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: Serializing the ValueStack on a redirect

[Philip Luppens <ph...@gmail.com>]

On Sun, Aug 5, 2012 at 7:34 AM, Paul Benedict <pb...@apache.org> wrote:

> I don't think this feature exists but it does in Tapestry (and
> probably .NET). It should be possible to serialize the ValueStack on a
> redirect, pass it as a 64-bit encoded key, and deserialize it. This
> would facilitate greater Redirect-After-Post patterns that require
> data points to still be active.
>
> Thoughts?
>

I find it an intriguing idea, but wouldn't it imply a serialisation of the
entire object graph that is attached to your root object and hence a
security risk by exposing certain variables?

Isn't this something that is already possible with the 'flash' scope? Or
does this approach offer certain benefits?

Cheers,

Phil


>
> Paul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>


-- 
"We cannot change the cards we are dealt, just how we play the hand." -
Randy Pausch