[jboss-user] [JBoss Seam] - Re: Automatic Entity merge
CptnKirk
do-not-reply at jboss.com
Mon Sep 25 17:25:50 EDT 2006
anonymous wrote : One alternative approach is instead of passing the entity object around, just pass the id in a request parameter and use something like the ManagedEntity component (in Seam CVS) to auto-load the entity instance and expose it via a context variable.
Since request parameters can be easily manipulated by a malicious user, this seems like a pretty dangerous general approach to me. When you're searching a blog or providing REST services, this works great. For a general CRUD framework this worries me.
For example, I wouldn't want my bank's online "add joint account member" conversation to take in currentUserId and newJointUserId as a request params.
Of course, I haven't seen this thing in action, maybe there are safeguards in place to detect manipulation of these params. Please assuage my fears. :)
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3974032#3974032
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3974032
More information about the jboss-user
mailing list