You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Amit Kumar <am...@cistemsindia.com> on 2002/07/19 06:13:00 UTC

a question on the example in struts documentation

Please let me know if I have understood it correctly.

Just like in example in struts documentation I map my ActionServlet to *.do. I have a page someform.jsp whose logical name is say something.do.

All server side validations are performed in the corresponding Action class.

Now if some user of my page after viewing page something.do opens its html source in browser he will be able to find a base tag  containing actual address to someform.jsp.
Now if the same user copies and paste this address to someform.jsp in browser, now the request will not go to ActionServlet as it only captures *.do not .jsp.
As a result Action class will be bypassed and thus all server side validations will be skipped by this user.

Is this correct

Amit Kumar

Re: a question on the example in struts documentation

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 19 Jul 2002, Amit Kumar wrote:

> Date: Fri, 19 Jul 2002 09:43:00 +0530
> From: Amit Kumar <am...@cistemsindia.com>
> Reply-To: Struts Users Mailing List <st...@jakarta.apache.org>
> To: Struts Users Mailing List <st...@jakarta.apache.org>
> Subject: a question on the example in struts documentation
>
> Please let me know if I have understood it correctly.
>
> Just like in example in struts documentation I map my ActionServlet to
> *.do. I have a page someform.jsp whose logical name is say something.do.
>

This is not quite right.  The "thing" that has a .do extension is really
an Action, not a JSP page.  Take a look at the Struts example application
(source is included), and assume you're already on the main menu page and
you press the "Edit your user registration profile" link.  Here is what
happens:

* The link points at the "/editRegistration" action with a .do
  extension, so that is what will get executed.

* The corresponding Action class (EditRegistrationAction) loads
  your user information from the "database" into a form bean, and
  forwards control to a JSP page that is indirectly named via the
  <forward> elements in struts-config.xml.

* The JSP page displays itself, including the pre-filled-out data
  that comes from the form bean (since it is already there).

This pattern is very typical in Struts apps.  You'll find out a whole
bunch more if you read the User Guide (included in the
struts-documentation webapp) and go to the Resources page for links to
lots of good tutorials.

> All server side validations are performed in the corresponding Action
> class.
>

Usually they are done in the form bean's validate() method, or indirectly
via the validator framework.  Sometimes you need to do additional
validations in your actions.

> Now if some user of my page after viewing page something.do opens its
> html source in browser he will be able to find a base tag containing
> actual address to someform.jsp. Now if the same user copies and paste
> this address to someform.jsp in browser, now the request will not go to
> ActionServlet as it only captures *.do not .jsp. As a result Action
> class will be bypassed and thus all server side validations will be
> skipped by this user.
>
> Is this correct
>
> Amit Kumar
>

Craig

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>