RE: Tapestry integration

From: Gentry, Michael \(Contractor\) ("Gentry,)
Date: Thu Nov 10 2005 - 11:33:30 EST

  • Next message: Cris Daniluk: "Re: CMS followup - Confluence"

    [Maybe I should put this on the Tapestry list, but since it started here
    ...]

    OK Robert, I'm thinking about DirectLink now, especially since the T4
    docs say that ActionLink is deprecated. :-(

    Suppose I did a Cayenne DataSqueezer for Tapestry and then did your
    example of a DirectLink using:

        parameter="ognl:someDataObject"

    Which generates an URL with something like:

        sp=Pnt/DataObject/300

    How do you prevent a user from changing that URL to have a 301 or a 302
    or whatever? It is quite trivial to copy the link's URL, paste it in
    the browser address line, and edit it. Record 301 could contain
    personal information for a different person that shouldn't be vended to
    the person receiving the link with 300 in it. It seems like I'm going
    to have to do a lot more defensive programming without ActionLink.

    Thoughts on that? I'm curious if you've already solved the malicious
    user problem! :-)

    Thanks!

    /dev/mrg

    -----Original Message-----
    From: Robert Zeigler [mailto:robert..uregumption.com]
    Sent: Tuesday, October 25, 2005 1:59 PM
    To: cayenne-use..bjectstyle.org
    Subject: Re: Tapestry integration

    Squeeze adapters just make life simpler when dealing with direct links,
    hidden form fields storing
    an object necessary for the form, etc.
    Consider, for example, the following:

    <a href="#" jwcid=..irectLink" parameter="ognl:someDataObject">some
    link</a>,
    then w/out the squeeze adapter, you get the nasty serialized string
    storing the object, like:
    sp=zajwrk230jakzkeljk24j0jakljzlkjlkjlajk3wj0jzkjj2j1kjajajzkqweeraoiwr2
    412478997lksl2klaalkjoi4u389ull
    Or whatever. :) The url is ugly, but when you get your Object[] array
    in your listener, you have a nicely
    inflated object. Or... /mostly/ nicely. The issue here is that you
    wind up with a data object which isn't
    connected to any data context. So... ugly url /and/ problematic.

    To fix that, you could do (it's ugly all in ognl, but.... :)
    <a href="#" jwcid=..irectLink"
    parameter="ognl..rg.objectstyle.cayenne.DataObjectUtils@intPKForObject(
    someDataObject">some
    link</a>
    Which gives you a "nice" url parameter like:
    sp=300

    Of course, then in your corresponding listener code, you're going to
    have to reverse that process... grab your object from your data context,
    based on the pk. So, clean url, no disconnected dataobject problems,
    but it's code that you essentially have to duplicate
    over and over again.

    Using the custom squeeze adapter, you would still do
    parameter="ognl:someDataObject".
    But then the generated url parameter would look something like:
    sp=Pnt/DataObject/300

    Still reasonably clean*, plus, you don't have to deal with the pk
    yourself, plus when you get your array of objects in your listener,
    you have a nicely "inflated" data object, /and/ it's connected to the
    data context**, to boot. :) You grab your object and go.

    It's certainly possible to /not/ use a squeeze adapter... tassel was
    written without one. But having now written it,
    I'd never go back to not using it. It's just one of those things which
    makes life that much nicer. :)

    Robert

    *caveat: if object.getObjEntity() returns null (which is the case if
    you used a newly created,
                    unregistered data object, the object is squeezed
    according to the standard
                    tapestry mechanism, so you still get something of an
    ugly url.

    **caveat: if the object was not registered with a data context when it
    was "squeezed", it won't be associated
                   with a data context when unsqueezed. Eg: parameter="new
    org.me.SomeObject()"; said object
                   wouldn't be associated with a datacontext on
    unsqueezing... and you wouldn't expect it to.

    Eric Schneider wrote:

    > Hi Robert,
    >
    > I probably haven't paid enough attention to the DataSqueezer posts on
    > the Cayenne/Tapestry mailing lists. I was under the assumption you
    > needed to implement a custom squeezer if you wanted bind a DataObject
    > as a DirectLink parameter. Are there other instances where the
    > standard Tapestry squeezing implementation with DataObjects jack me
    up?
    >
    > I just haven't come across a problem (with a handful of apps), but
    > maybe I'm missing something?
    >
    > Thanks,
    > Eric
    >
    > On Oct 25, 2005, at 10:59 AM, Robert Zeigler wrote:
    >
    >> Sorry, I must've missed your e-mail on the tapestry list.
    >> Using the squeeze adapter is a matter of implementing the
    >> two interfaces it requires. One is ObjectIdStorageProvider.
    >> If you never use objects which are in state "NEW" in your pages,
    >> then this interface is unimportant and you can have a "dummy"
    >> implementation. Otherwise, what this interface is for is to
    >> store (in memory) the (temporary) ObjectId object or a data object in
    >> state NEW.
    >>
    >> The other interface is the "DataContextProvider" (single method:
    >> getValidDataContext()).
    >> The purpose is to provide the squeezer with a "valid" d.c. for the
    >> current
    >> thread.
    >>
    >> Once you've implemented the interfaces...
    >>
    >> If you're using tapestry 3.0.3, you'll have to subclass BaseEngine.
    >> In your subclass, override createSqueezeAdapter with something like:
    >>
    >> ISqueezeAdaptor[] adapters = {
    >> new DataObjectAdaptor(new DataContextProviderImp(),
    new
    >> ObjectIdStorageProviderImp())
    >> };
    >> return new DataSqueezer(getResourceResolver(), adapters);
    >>
    >>
    >> If you're using tapestry 4.0.beta-xxx, then you can skip the
    >> subclassing
    >> and just define the adapter in your hivemind config file.
    >> There are many examples of how to do this posted throughout
    >> the userlist archives, and I believe on the tapestry wiki, as well.
    >>
    >> Robert
    >>
    >> jaka lustek wrote:
    >>
    >>
    >>> Hi,
    >>>
    >>> I posted similar question on Tapestry list, but did not get the
    answer
    >>> so far. Can someone explain the steps to use CayenneDataSqueezer
    with
    >>> Tapestry. I downloaded the squeezer from Tassel. I don't want to go
    >>> statefull, is it possible to achieve this with CayenneSqueezer? I
    >>> hope I
    >>> am not asking silly questions.
    >>>
    >>> I have a tiny web app, just two pages, the first is collecting
    answers
    >>> with radio group buttons, and the second is collecting user data.
    The
    >>> model will use some three tables and some relationships. Simple
    model,
    >>> simple web app, but as I am new to Cayenne Tapestry world I need
    some
    >>> hints. I intend to present this app in my company as a proof of
    >>> concept
    >>> when will be ready (and this shold happen very soon).
    >>>
    >>> Thanks,
    >>> Borut
    >>>
    >>> ____________________
    >>> http://www.email.si/
    >>>
    >>>
    >>>
    >>
    >



    This archive was generated by hypermail 2.0.0 : Thu Nov 10 2005 - 11:33:32 EST