You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Dennis Byrne <de...@dbyrne.net> on 2005/08/06 08:09:25 UTC
converter chains 4 security
In web services, there is a notion of message handlers.
Message handlers can be chained to each request and
response. For example, if a web service client sends a
request, it is handed to MessageHander1 which can encrypt the
message, and then to MessageHandler2 which can encode it. On
the receiving end, MessageHandler2 decodes the message and
MessageHandler1 decrypts the message.
I want to do something similar with converters. Currently,
there are many places in my project where an ID is passed
back and forth between the browser and the web app. In
between the browser and the backer, the converter passes this
value to an OR framework which hands back an object graph
(after it has gone to the DB). I would imagine there are
lots of apps like this. However this means a script kiddy
can instantiate any instance they wish w/ the correct primary
key.
What I want to do is daisy chain converters. Before a
response is rendered, an object is passed to Converter1,
which turns it into a string. The string is then handed to
Converter2, where the string is encrypted. When the request
comes back, Converter2 decrypts the string before it is
passed to Converter1 which will convert this into an object.
I COULD write an encryption decorator for ALL my converters.
Is there any way, as in J2EE web services, that I can
declaratively chain converters? I want to treat my backing
bean as though it were what is called a "service endpoint".
As more AJAX components are written, I think backing beans
are going to become more like service endpoints.
Dennis Byrne