converter chains 4 security

[Dennis Byrne <de...@dbyrne.net>]

In web services, there is a notion of message handlers.  
Message handlers can be chained to each request and 
response.  For example, if a web service client sends a 
request, it is handed to MessageHander1 which can encrypt the 
message, and then to MessageHandler2 which can encode it.  On 
the receiving end, MessageHandler2 decodes the message and 
MessageHandler1 decrypts the message.

I want to do something similar with converters.  Currently, 
there are many places in my project where an ID is passed 
back and forth between the browser and the web app.  In 
between the browser and the backer, the converter passes this 
value to an OR framework which hands back an object graph 
(after it has gone to the DB).  I would imagine there are 
lots of apps like this.  However this means a script kiddy 
can instantiate any instance they wish w/ the correct primary 
key.

What I want to do is daisy chain converters.  Before a 
response is rendered, an object is passed to Converter1, 
which turns it into a string.  The string is then handed to 
Converter2, where the string is encrypted.  When the request 
comes back, Converter2 decrypts the string before it is 
passed to Converter1 which will convert this into an object.  

I COULD write an encryption decorator for ALL my converters. 

Is there any way, as in J2EE web services, that I can 
declaratively chain converters?  I want to treat my backing 
bean as though it were what is called a "service endpoint".  
As more AJAX components are written, I think backing beans 
are going to become more like service endpoints.

Dennis Byrne