[JBoss Seam] - Re: HowTo: When going to a page to enter data, pull from db
by CptnKirk
One down side to using EntityHome for generic crud is lack of built in security. One needs to be careful when using Homes for crud operations that allow or require RequestParameters. You need to ensure the operation on this ID is valid. You don't want to expose information you shouldn't and you definitely don't want to modify or destroy information you shouldn't.
For example, you don't want a user to update or delete another user's entity just by changing an ID in the URL and hitting return. Seam supports entity level security and you can probably extend a Home to double check access restrictions prior to operations. Likewise, you don't want private information available on lets say a user profile screen, to be available to anyone able to modify a URL.
My concern is that new Seam users may over use this feature and run into these problems down the road. Or that they won't bother to learn how entity level security works or how to configure it.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039576#4039576
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039576
19 years
[JBoss Seam] - Re: Login Best Practices
by CptnKirk
My apps simply have their own secure login pages so I don't have a best practice, but I'll help hash something out. I suppose my first question is. Are you using Facelets? My knee jerk solution to this would be to write a simple <my:loginForm> tag with Facelets that used a regular html form and an https action URI. The action URI can be backed by a servlet that would get everything sorted. When it's all said and done you end up being redirected to your app's home jsf page with a new secure session and populated identity.
Sure it would be nice if some nice jsf framework provider did all the work for you. Fortunately I don't think it's that much work and should fit the requirements. I'm sure Seam will eventually get there, they just need to step back and think about the problem. I think they've been burnt rushing into things in the past.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039573#4039573
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039573
19 years
[JBoss Seam] - Re: HowTo: When going to a page to enter data, pull from db
by petemuir
"CptnKirk" wrote : Yep, it was late, I forgot I overrode the scope on some of my entities. However there are plenty of times where simple CRUD doesn't fit the bill. If you're actually managing an entity, sure, use a Home. However if you're using a form to populate an entity for another purpose, using Seam to populate a scoped entity and hand it off for further processing has advantages. Of course the entity doesn't need to be an EJB 3 entity. Seam does the same for POJOs.
+1
anonymous wrote : For example I don't think I'd recommend using a Home to populate a search prototype. For search pages, an entity with an event scoped role combined with Hibernate's Criteria API + Example criterion is great.
I prefer using a Query with restrictions in most cases (mainly 'caus the wiring is all done for me) - you can get some pretty complex queries going with just few lines of xml. But definitely an extended entity, or one configured through components.xml is a great way.
anonymous wrote : What would be really great would be to put out a Seam cookbook.
You should talk to some publishers :) There really aren't many Seam books out atm
anonymous wrote : For an example you could have a managed component observe many events that happen within your system and change the underlying representation as a result of those observations. With the managed component pattern a component can manage these actions itself and because the component is unwrapped on every access, all callers will have a consistent view. This is a much different use than what Factories provide for.
Interesting use, I've never thought of that - the manual is pretty light on decent uses of @Unwrap (that wouldn't be better done by @Factory), if I get a moment (and you don't mind) I'll try to incorporate that.
Now, if only the forums had a decent search function so people could read all these useful discussions ;)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039571#4039571
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039571
19 years