Re: Client PK access

From: Michael Gentry (blacknex..mail.com)
Date: Sun Apr 27 2008 - 12:42:44 EDT

  • Next message: Andrus Adamchik: "Re: Client PK access"

    Thanks for the link, Kevin. It seems Robert listened to me! :-)

    http://code.google.com/p/tapestry5-cayenne/wiki/SecuringValueEncoders

    For an externally-facing application (and even some internal), it
    seems pluggable encryption might be the best approach (you don't want
    to include actual encryption, though). These overly-secure types of
    applications rarely care about friendly URLs, from what I've seen thus
    far and many are form/POST-based. I'll check out more later.

    Thanks!

    On Sun, Apr 27, 2008 at 12:03 PM, Kevin Menard <kmenar..ervprise.com> wrote:
    > Hi Michael,
    >
    > We're looking to basically achieve feature parity with the Hibernate module
    > and then surpass it. We've got some pretty good stuff going on right now.
    > The simplest way forward was to include keys in the URLs, but we intend on
    > making things more secure going forward.
    >
    > If you want to get involved with discussions and what not, feel free to join
    > the group. It's pretty low volume:
    >
    > http://code.google.com/p/tapestry5-cayenne/
    >
    > --
    > Kevin
    >
    >
    >
    >
    > On 4/27/08 11:50 AM, "Michael Gentry" <blacknex..mail.com> wrote:
    >
    > > Hi Kevin,
    > >
    > > I'm just curious since I haven't been following Tapestry much lately
    > > (I'm in WebObjects land currently) if you are making a data squeezer
    > > (or whatever they are calling it in T5) for Cayenne? If so, is it
    > > just going to stuff primary keys into the HTML as hidden fields or be
    > > something more elaborate? The environments I've worked in tend to
    > > need data security and exposing the primary keys in the HTML would be
    > > a definite no-no. You never want to give the client/end-user a chance
    > > to hack the primary key values to try gain backdoor access to the
    > > data.
    > >
    > > Thanks!
    > >
    > > /dev/mrg
    > >
    > >
    > > On Sun, Apr 27, 2008 at 10:08 AM, Kevin Menard <kmenar..ervprise.com> wrote:
    > >> As part of the fix for CAY-574, we added a getPrimaryKeyNames() :
    > >> Collection<String> method to ObjEntity. This did the trick and allowed
    > >> DataObjectUtils to work. Unfortunately, it doesn't expose the PK type
    > >> information.
    > >>
    > >> As some of you likely know, I'm working on Tapestry5-Cayenne integration
    > >> module with Robert Zeigler. I'm trying to ensure the module works just as
    > >> well for an ROP client as it does for traditional Cayenne server apps. One
    > >> of the things we need to be able to handle is the coercion of keys to and
    > >> from String values. This implies knowledge of the key class type, which is
    > >> currently unavailable in the client.
    > >>
    > >> I'm soliciting ideas on how to improve this. Off the top of my head, I'm
    > >> thinking something like the following:
    > >>
    > >> // Simple key-> value lookup.
    > >> String getPkClassName(String pkName)
    > >>
    > >> // Modification of existing method to allow PK lookups.
    > >> ObjAttribute getAttribute(String name, boolean includePks)
    > >>
    > >> // Rather than just have getPrimaryKeyNames(), return a mapping
    > >> // of the key name and its Java class.
    > >> Map<String, String> getPrimaryKeys()
    > >>
    > >> If possible, this is something I'd like to see squeezed in for 3.0M4,
    > >> because I'd really like that module to not have to rely on 3.0-SNAPSHOT.
    > >>
    > >> Thanks,
    > >> Kevin
    > >>
    > >>
    >
    >



    This archive was generated by hypermail 2.0.0 : Sun Apr 27 2008 - 12:43:15 EDT