I can't fully understand the purpose of data binding in jsp of spring. Does someone have a full understanding of it?
You have html on one side, and java objects on the other side. You have to convert between these two. That's what binding is for - you tell spring to handle this conversion, i.e. to bind html inputs to object fields.
Classically, data binding was used within applications to take advantage of data stored in databases. Windows Forms data binding allows you to access data.
look at this
www.dapfor.com
typically in a web app, data is loaded from a database. This is not done in the jsp layer (typically). The databinding is simply a way to get your data (i.e. model objects) available on the jsps.
You may want to access your input form / URL parameters in an OO fashion: input.getUserName(), input.getBirthDate(). Spring (as well as other web frameworks, but in different ways) provides you with means of transparently "binding" the input.
This binding process involves conversion (from a Strings to whatever -- Date objects, numbers, your custom classes etc.) and validation, so you get all that out of the box (all you need to do is sometimes configure it to work as you want it).
Since HTML came with stateless, binding data came to resolve that problem.
Related
I Know, we can use encodeForHTML for HTMl and encodeForJavascript for javaScript.
There is a Cross-Site Scripting: "Reflected fortify scan problem" in my code
String errorDesc = HttpServletRequest.getParameter("error_description");
I have to validate this using Encoder but I am confused to use which one should i use between them. As we do not know the return type of HttpServletRequest.getParameter.
1. org.owasp.esapi.Encoder.encodeForHTML
2. org.owasp.esapi.Encoder.encodeForJavaScript
What we have here dear asker is a rather common misunderstanding about the differences between output encoding--which is what you're working with when you look at the Encoder calls, and input validation, which is a completely separate operation that has little to do with the Encoder class.
The Encoder methods you're dealing with here are to be used only when you're presenting data to a user, and only for the correct context. For example, if the application is a "Single Page Application" (SPA) then very likely you're just going to want to ensure that the output is encoded for JavaScript as the client-facing framework will almost certainly be JavaScript.
If you were using an older style of application, then you would encode for HTML anytime you were going to place data between <some_tag> data </some_tag>.
XSS requires you to understand one thing for every variable in your application: Its data flow, from when the value is generated (Server, User, DB, etc.) and understand all of the transformations it might undergo as it traverses to the user and back to the system. If the value starts in the browser, it will enter into some kind of Controller on the backend, and before you process the value you'll whitelist validate it--ESAPI has a validator class--and then if it passes validation you'll ensure that the database will only treat it as data (PreparedStatement, or through use of an ORM framework's utilities.) Best practice is to
Canonicalize the data
Validate against the canonicalized value
If valid, discard the canonicalized value and store the original data
If used properly, the Validator class is defaulted to help you do this.
The methods you're asking about in this question are for instances where user input is being sent back to the browser, either from the database or from a previous request in your session that hasn't yet been persisted.
The main difference is how the output encoding is done. Encoder.encodeForHTML() does HTML entity encoding via the org.owasp.esapi.codecs.HTMLEntityCodec class, whereas Encoder.encodeForJavaScript() uses JavaScript's backslash encoding via org.owasp.esapi.codecs.JavaScriptCodec.
Which one you choose depends on the context of how your "error_description" parameter will be rendered in your application. If it is rendered between HTML tags, use encodeForHTML(), if you are rendering it in purely a JavaScript context, use encodeForJavaScript(). Refer to https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html for a more thorough explanation of all this.
Is it possible to get the json data from a restService using code instead of using the pathinfo?
looking for something like: getComponent("restService1").get...
<xe:restService id="restService1" pathInfo="rest">
<xe:this.service>
<xe:jdbcQueryJsonService connectionName="mssql" contentType="application/json">
<xe:this.sqlQuery><![CDATA[SELECT * FROM Order]]></xe:this.sqlQuery>
</xe:jdbcQueryJsonService>
</xe:this.service>
</xe:restService>
I don't think that this is possible without deeply hacking into the core ExtLib REST services.
In these services, the output is generated and written to the defined output stream, which is normally the one from the HttpResponse.
You have two options for this:
Create your own rest service for jdbcQueryJsonService by extending the existing one and add your own method for accessing the output stream
Use reflection to access the private property which holds the outputstream instance
For both options I don't think that this is worth the effort. It's a lot easier to create your own JDBC connection to the SQL server and transform the result to JSON by your own.
EDIT:
Don't forget that you are accessing a component. A component doesn't know something about the output, which is generated by the renderer depending of the current state of the component. While the ExtLib REST Services are a little bit different of the JSF concepts (their output is generated by a servlet), the pattern is the same.
That's why no XPages / JSF component has such a method.
We have a rather large application, with a great deal of dynamic content. Is there anyway to force struts to use a database for the i18n lookups, instead of properties files?
I'd be open for other ways to solve this as well, if anyone has ever done i18n with dynamic content.
I don't know of an easy plug-and-play solution for this, so you will probably have to implement it yourself -- plan on spending quite a bit of time just coming to grips with how the localization features of struts 2 (and XWork) are implemented. The key will probably be to provide your own implementation of com.opensymphony.xwork2.TextProvider (and tell struts to use it by providing a <bean> tag in struts.xml). I can think of at least two ways of fitting this into the overall architecture:
Have your TextProvider implementation access the database directly. In the spirit of YAGNI, this is probably the best way to start (you can always refactor later, if necessary).
Alternatively, you could place the database code into an implementation of Java's ResourceBundle interface, which is what XWork uses internally. To me this sounds like an even more design-heavy approach, but on the plus side there are some articles around describing how to do this.
No, there is no built-in way to have Struts2 load localized content from a database. You would need to write that yourself.
What are your requirements? Do you need for users to be able to dynamically change field prompts, error messages, etc.?
You may be able to do something like that by building a custom interceptor. You could have the interceptor read all the key value pairs from your database and inject them into the value stack. The only thing I am not sure about, not really having messed with i18n with struts before, is if the i18n stuff pulls that information from the value stack. If not, I am not sure if maybe you could do something else in the interceptor to load up the information.
Building a custom interceptor is not too terribly complicated. There are plenty of tutorial sites out there, including (brace for self promotion here) my blog: http://ddubbya.blogspot.com/2011/01/creating-custom-struts2-interceptors.html.
Use properties files just for static content, like labels, messages etc.
For dynamic content start with a database table that includes a language-code-id for every language you want to use. All the dynamic content entries that are already translated go with their respective language-code-id added to their primary key. If a translation is missing, you can program your application to fall back to your default language in order to make things easier until the right translation is present.
Let your users provide their contributions in the language they like and store it with the appropriate language-id. Someone should provide the translation to the other languages in order to make the contribution complete.
...
PRIMARY KEY (`subject_id`,`language_id`),
...
For a web application, I need to return a model to a view.
For a mobile application or API, I want to return xml or json.
Is it possible to do all of these using a single controller method, or do I have to duplicate this and create seperate API controller's etc?
With Spring MVC 3.x you can do this with just the one controller method. The trick is to wire up the appropriate ContentNegotiatingViewResolver in your Spring config. You can configure it to return the desired content type based on file extension and/or requested mime type.
It works best for methods that only add a single model attribute to the Model, otherwise the JSON/XML starts to get a bit ugly.
I often find its simpler/nicer to implement separate controller methods for my web service requests, as you can better control the format of the JSON/XML and the code is easier to maintain in the long term.
EDIT: Just to qualify my comment above, I find that complex JSP pages where there might be up to 5-10 model attributes added to the page, that the resulting JSON tends to be quite messy and you usually find you only really want 1-2 of those in the JSON. OTOH, simple pages with 1-2 models added work quite well.
I have some model objects I'm using in my Java client application. Later these model objects will be populated / retrieved from remote services (e.g. SOAP). Now I want to do manual / automatic testing of the frontend before implementing these services. The model objects are mostly POJO and I want to store some sample test data in files and populate them with some easy method.
E.g. having model object School (with name (String) and teachers (List)) and Teacher with lastname and firstname, I want to store actual test data in some XML / text file and create some schools containing teachers from these data.
What are you using in this situation? I'm not familiar with TTD yet, but I can't imagine that there is no generic framework for doing this.
[edit]
I've choosen Spring to mock up my sample data / services, but the other alternatives mentioned here would have worked as well.
Sounds like a good use of XML serialization. You can use any XML serialization tool you like: XStream, etc.
Another nice tool is SOAP UI. If you point it to the WSDL for your service it'll create the XML request for you. Fill in the values and off you go. These can be saved, so perhaps that's a good way to generate test cases.
You can also use Spring to mock your remote service(s) and their responses.
In this case, all you have to do is loading an applicationContext that will simulate your backend system(s) by replying exactly what you want for your test purpose.
Why not keep the test data in Java? You have no extra stages, formats or libraries to deal with. It's fast and you have the power and familiarity of Java on your side.
First, I'd agree with duffymo that XStream and SOAP UI are viable options. However, I've also used the approach described by Tom Hawtin, as described below.
A helper class constructs a set of test instances of the model classes, some valid and some invalid in specific ways, and builds the appropriate object graphs. An initial test case uses a valid object object graph. Successive tests substitute invalid objects for valid ones in the initial setup, checking that the appropriate errors are returned.
The helper class provides a single point of control for constructing objects whose contents are appropriately related for the scenarios needed in testing.