You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Ted Husted <hu...@apache.org> on 2004/07/01 17:25:16 UTC

Re: LazyActionForm

Since the LazyActionForm <http://www.niallp.pwp.blueyonder.co.uk/> can be validated like any other ActionForm, I don't see the basis for a technical objection. In the documentation, we would want to *strongly* recommend using the validated version, and remind people it is a *bad* practice to pass an ActionForm to the model. They should populate another object from the validated ActionForm and then pass that along (which provides the second layer of firewall).  IMHO, the LazyActionForm may encourage better practices, since people will not be so tempted to use ActionForms as model objects, if they don't have to define things twice (or at least seem to). 

Personally, I think validation and population should be strongly coupled, as it is with the FormProc component (formproc.sf.net). We now treat them as separate steps, but one begs the other. What's missing is an "optional" validator that would let us specify a field that may or may not be present. Then, we could populate only the properties that are specified by the validator form.  

So, if we did want to make the LazyValidatorForm secure, one solution would be to add an "optional" validator. Only the fields specified by a required or optional validator would be accepted, others would be ignored (as they are now). People would not have to specify the fields in the struts-config *and* in the validations.xml, but they would still have to specify them all in validations.xml.

-Ted.

On Wed, 30 Jun 2004 04:35:52 +0100, Niall Pemberton wrote:
> I'm happy to put it into Struts but other committers may object on
> the basis that one of the ActionForm's functions is to act as a
> 'firewall' between the Request and the Action - the
> 'LazyActionForm' circumvents this with all the request parameters
> being populated into it. In my Actions I only take out of them what
> I expect to be there - if you do that its not an issue, but anyone
> who just passed on whatevers in there straight on to their model
> would leave themselves open to attack.
>
> Also the LazyDynaBean/LazyDynaClass objects that the "Lazy"
> ActionForm depends on are more suited to the beanutils project -
> maybe the first step would be to submit these classes to beanutils
> and see if they are happy to accept them.
>
> Niall
>
>
> ----- Original Message -----
> From: "Matthias Wessendorf" <ma...@matthias-wessendorf.de> To:
> <de...@struts.apache.org> Sent: Tuesday, June 29, 2004 2:22 PM
> Subject: LazyActionForm
>
>
>> Hello,
>>
>>
>> are there plans to integrate LazyActionForm form
>> Nial Pemberton in to struts (or in contrib) ?
>>
>>
>> since nial is a commiter and it is usefull
>> to have that functionality *directly* in framework...
>>
>>
>> regards,
>> Matthias
>
>
> --------------------------------------------------------------------
> - To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For
> additional commands, e-mail: dev-help@struts.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org