You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by raja buddha <ja...@hotmail.com> on 2005/05/24 17:04:39 UTC
Validation Frame work
Hi all
In struts why do we need validation frame work we have java script
to do validations. Is there any extra advantage of using the validation
frame work
raj
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Validation Frame work
Posted by Steve Kirk <to...@web-startup.co.uk>.
David is right, JS and serverside validation perform different roles. To
expand on his comment a bit more, remember that the requests that your
webapp receives could be sent by any HTTP client, not necessarily by a
friendly web browser. If someone were so inclined, they could write their
own HTTP client to interact with your webapp, that aimed to deliberately
submit bad data to your servlet, in which case your JS validation would have
been bypassed. What they can't do is bypass your serverside validation (or
at least this is much harder).
Just one trick that such nasty people might try is to insert JS code in any
form fields that you let them create or edit. If this field data is then
"displayed" in other pages of your app, this might cause anyone viewing that
page on your site to download a trojan/virus/etc. It's really very easy to
do. And this is only one such exploit. There are many others.
> -----Original Message-----
> From: David Smith [mailto:dns4@cornell.edu]
> Sent: Tuesday 24 May 2005 16:19
> To: Tomcat Users List
> Subject: Re: Validation Frame work
>
>
> Because you should never trust the client. They may not be submitting
> from your form. Javascript is just a nicety to save the user a whole
> request/response cycle just to find out a field is missing or wrong.
> Consider it a security issue.
>
> -- David
>
> raja buddha wrote:
>
> > Hi all
> > In struts why do we need validation frame work we have java script
> > to do validations. Is there any extra advantage of using
> the validation
> > frame work
> >
> > raj
> >
> > _________________________________________________________________
> > On the road to retirement? Check out MSN Life Events for
> advice on how
> > to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Validation Frame work
Posted by David Smith <dn...@cornell.edu>.
Because you should never trust the client. They may not be submitting
from your form. Javascript is just a nicety to save the user a whole
request/response cycle just to find out a field is missing or wrong.
Consider it a security issue.
-- David
raja buddha wrote:
> Hi all
> In struts why do we need validation frame work we have java script
> to do validations. Is there any extra advantage of using the validation
> frame work
>
> raj
>
> _________________________________________________________________
> On the road to retirement? Check out MSN Life Events for advice on how
> to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org