Mike,
Using a custom squeezer is the way to go. To get around around your
vulnerability issues I think there are 2 options off the top of my head:
1. Modify Roberts DataSqueezer impl to obscure the PK's. such as a Map
of GUID's to PK's, GUIDs are then put in the page and then mapped back
to PK's.
2. Wait for different PK generation schemes...again such as GUID. I'd
think this would be secure enough for most apps?
Surely someone has done something like this before?
-- http://www.fastmail.fm - The professional email service----- Original message ----- From: "Gentry, Michael (Contractor)" <michael_gentr..anniemae.com> To: cayenne-use..bjectstyle.org Date: Wed, 4 Jan 2006 17:00:14 -0500 Subject: RE: Note to Cayenne/Tapestry users ...
Yeah ... Call me paranoid, but I'll never knowingly send a primary key for any kind of sensitive information. I could see a store catalog or something is pretty harmless to send the PK -- user changes PK and they just get to view a different product. But for customer information/etc, not a good thing. :-)
/dev/mrg
PS. Anything you can send to the user can be edited and sent back.
-----Original Message----- From: Robert Zeigler [mailto:robert..uregumption.com] Sent: Wednesday, January 04, 2006 4:55 PM To: cayenne-use..bjectstyle.org Subject: Re: Note to Cayenne/Tapestry users ...
For, in fact, calls into the data squeezing mechanisms. So, if you've got a data squeezer registerred which handles cayenne data
objects, then it'll be used to construct the stored string as well as to
"re-inflate" the objects when For rewinds. So, in my CayenneDataObjectSqueezeAdapter implementation, I "serialize"
to a pk (with some bits of necessary extra information), and then when unsqueezing, use DataObjectUtils to refetch the object.
Robert
Gentry, Michael (Contractor) wrote:
>I thought the data squeezer just put the object's PK in the hidden area >of the form? > >/dev/mrg > > >-----Original Message----- >From: Robert Zeigler [mailto:robert..uregumption.com] >Sent: Wednesday, January 04, 2006 4:43 PM >To: cayenne-use..bjectstyle.org >Subject: Re: Note to Cayenne/Tapestry users ... > > >That's where the data squeezer comes in handy; it will let For work its >magic (useful for avoiding stale link exceptions, etc.) and still make >sure you >have objects which are nicely attached to the data context. :) >I've been using base:For (For, but for tapestry 3.03) for some time now
>in conjunction >with data squeezers and have no issues. > >Robert > >Michael Gentry (Yes, I'm a Contractor) wrote: > > > >>I've been converting an application which uses Tapestry 3/Cayenne to >>Tapestry 4 (and Cayenne, of course). In the process, I've been trying >> >> >to > > >>get rid of all of the deprecated components (ActionLink, Conditional, >>Foreach, etc). >> >>I replaced one of the Foreach components with the new For component and >> >> >it > > >>caused issues for me. I had a persistent List of Cayenne objects and >>Tapestry, with the new For component, would serialize/deserialize them >>(apparently in the HTML), which creates a HOLLOW Cayenne object >>disassociated from it's DataContext. (It also produced some bizarre >> >> >HTML in > > >>the hidden INPUT section -- kept repeating a For_0 variable, but with >>different values.) This, of course, caused the code to fail. >> >>After looking through the docs, we added the volatile="true" attribute >> >> >and > > >>it made For work more like the old Foreach and everything was fine >> >> >again. > > >>Just thought I'd share in case other Cayenne/Tapestry users are going >>through a similar conversion. >> >>/dev/mrg >> >> >> >> > > > >
This archive was generated by hypermail 2.0.0 : Wed Jan 04 2006 - 18:42:56 EST