'Re: Encode/decode activation parameters'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tapestry-user
Subject:    Re: Encode/decode activation parameters
From:       George Christman <gchristman () cardaddy ! com>
Date:       2014-10-24 12:41:55
Message-ID: CADYqYfk9OAGjuHg8zBgGfv7UnKFWiv9O15zxtkDvfzj=Tuny1w () mail ! gmail ! com
[Download RAW message or body]


As Thiago has already pointed out, non sensitive database ID's passed
through the URL should not be an issue providing you check permissions. I
do this kind of thing all the time where I have a method that handles
permission checking. If your doing the check in onActivate you have the
option to redirect unauthorized users.

On Fri, Oct 24, 2014 at 6:55 AM, Thiago H de Paula Figueiredo <
thiagohp@gmail.com> wrote:

> On Fri, 24 Oct 2014 08:13:14 -0200, Semen Vishniakov <
> vishnyakovsa@gmail.com> wrote:
>
>  Hi all,
>>
>
> Hi!
>
>  I really like the concept to store values in the url instead of
>> storing in the session. But in most cases these are IDs of the
>> entities that can be manipulated by users in the url.
>> Is it a good idea to try to encode parameters before storing in the
>> url and to decode before onActivate
>>
>
> Unless these ids are sensitive by itself (SSN number, for example), I
> don't think that's actually needed, specially if they're database-generated
> values. Encoded/encripted activation context or not, you still need to
> check, in every request, if the user really has access to that page with
> that given parameters, be them page activation context values or query
> parameters or a combination of both.
>
>  and if so, how can I generalize my
>> solution to prevent writing the same peaces of code each time?
>>
>
> Provide or override the ValueEncoder for that given object type (class)
> with any logic you want and, instead of using the id directly in
> onActivate() and onPassivate(), use the object type directly. Example:
> Instead of onActivate(String id) and onPassivate() { return object.getId()
> }, use onActivate(YourClass object) and onPassivate() { return object; }
>
> --
> Thiago H. de Paula Figueiredo
> Tapestry, Java and Hibernate consultant and developer
> http://machina.com.br
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>


-- 
George Christman
www.CarDaddy.com
P.O. Box 735
Johnstown, New York


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic