dcsimg
Login | Register   
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.
How to Diagnose an OutofMemoryError in Android
Char Is Not Int
Tip: Char Is Not Int
Starting JVM with Memory of User's Choice
Tip: Starting JVM with Memory of User's Choice

advertisement
 

Stripes 1.5 in Black and White: Simpler Java Web Development : Page 2

The latest release of the Stripes MVC framework adds simplified configuration as well as support for security, AJAX, and more without forgetting its ease-of-use roots.


by Rick Smith
Sep 26, 2008
Page 2 of 3
advertisement

WEBINAR:

On-Demand

Application Security Testing: An Integral Part of DevOps


Added Security Features
One of Stripes' strengths is its ability to map complex Java objects to parameters in the HTML view. However, if misused, this capability can risk unwanted manipulation of the values in the backend. Imagine a banking application, for example. You certainly want to show customer their balances, but want them to be able to manipulate these values only through very controlled processes such as verifiable deposits or transfers (i.e., not by pasting a new and higher value into their URL). The Stripes team has added the @StrictBinding annotation to let you restrict binding to only those properties that you want the end user to be able to change.

Stripes 1.5 also adds support for transparent encryption of variables, which makes URLs in your application less susceptible to manipulation. Just set your own encryption key in the web.xml file's Stripes.EncryptionKey initialization parameter, and then mark up any parameters you want encrypted using the @Validate annotation in your ActionBean. Those parameters are encrypted and written into Stripes' form, link, and URL tags for display. These values are then decrypted on the return trip to the ActionBean, validated, and finally, bound to their target properties—-all automatically.

The following is an example of encrypting an ActionBean property with the Validate annotation: 











@ValidateNestedProperties({
         @Validate(field="id", encrypted=true),
     })
     private Contact contact = new Contact();

You can create your own encryption key in the web.xml file as follows: 


<filter>
     <filter-name>StripesFilter</filter-name>
     <filter-class>net.sourceforge.stripes.controller.StripesFilter
     </filter-class>
     <init-param>
          <param-name>ActionResolver.Packages</param-name>
          <param-value>com.datarabia.example.stripes</param-value>
     </init-param>
     <init-param>
          <param-name>Extension.Packages</param-name>
          <param-value>com.datarabia.example.stripes</param-value>
     </init-param>
     <init-param>
          <param-name>Stripes.EncryptionKey</param-name>
          <param-value>1234567890</param-value>
     </init-param>
</filter>

Finally, the Stripes team has encrypted the _sourcePage parameter—the breadcrumb placed in all Stripes forms—which is used to return viewers to their previous views when errors occur. This is one more way that sensitive internal workings of a Stripes application can be abstracted.



« Previous Page 123 Next Page »
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 
Sitemap
×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.
Thanks for your registration, follow us on our social networks to keep up-to-date