dcsimg
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX

How to Call a Stored Procedure via the JdbcTemplate
How to Increment Integers
Determine if String str2 is a Rotation of String str1
Convert a Given Code Point to a String
Understanding java.net.PasswordAuthentication

advertisement
 

Stripes 1.5 in Black and White: Simpler Java Web Development : Page 2

The latest release of the Stripes MVC framework adds simplified configuration as well as support for security, AJAX, and more without forgetting its ease-of-use roots.


by Rick Smith
Sep 26, 2008
Page 2 of 3
advertisement
Added Security Features
One of Stripes' strengths is its ability to map complex Java objects to parameters in the HTML view. However, if misused, this capability can risk unwanted manipulation of the values in the backend. Imagine a banking application, for example. You certainly want to show customer their balances, but want them to be able to manipulate these values only through very controlled processes such as verifiable deposits or transfers (i.e., not by pasting a new and higher value into their URL). The Stripes team has added the @StrictBinding annotation to let you restrict binding to only those properties that you want the end user to be able to change.

Stripes 1.5 also adds support for transparent encryption of variables, which makes URLs in your application less susceptible to manipulation. Just set your own encryption key in the web.xml file's Stripes.EncryptionKey initialization parameter, and then mark up any parameters you want encrypted using the @Validate annotation in your ActionBean. Those parameters are encrypted and written into Stripes' form, link, and URL tags for display. These values are then decrypted on the return trip to the ActionBean, validated, and finally, bound to their target properties—-all automatically.

The following is an example of encrypting an ActionBean property with the Validate annotation: 


@ValidateNestedProperties({
         @Validate(field="id", encrypted=true),
     })
     private Contact contact = new Contact();

You can create your own encryption key in the web.xml file as follows: 


<filter>
     <filter-name>StripesFilter</filter-name>
     <filter-class>net.sourceforge.stripes.controller.StripesFilter
     </filter-class>
     <init-param>
          <param-name>ActionResolver.Packages</param-name>
          <param-value>com.datarabia.example.stripes</param-value>
     </init-param>
     <init-param>
          <param-name>Extension.Packages</param-name>
          <param-value>com.datarabia.example.stripes</param-value>
     </init-param>
     <init-param>
          <param-name>Stripes.EncryptionKey</param-name>
          <param-value>1234567890</param-value>
     </init-param>
</filter>

Finally, the Stripes team has encrypted the _sourcePage parameter—the breadcrumb placed in all Stripes forms—which is used to return viewers to their previous views when errors occur. This is one more way that sensitive internal workings of a Stripes application can be abstracted.



« Previous Page 123 Next Page »
Thanks for your registration, follow us on our social networks to keep up-to-date