-
1. Re: Business level validation for page params
zaya Jun 4, 2009 11:07 AM (in response to zaya)Let me clarify my problem.
I use page param to map id of entity to the entity object in the backing bean. Due to security reasons, I need to restrict the id range of the entity that the page is allowed to be accessed. Currently I use converter to convert ids to entity beans.
I know there is validator binding in pages.xml, but as the logic is tightly associated to each page or backing bean, it's much reasonable to put the code into the bean if possible, or I need to create many non-reusable validators. Also if I use validators I can't access other page params.
The best option I can see is seam can make action method executed before update model phase. Like
<action execute="#{myBean.validatePageParams}" preUpdateModel="true" />
I'm just curious what makes seam think an action method should only be executed before the rendering phase?
Fot a workaround, I know there is Home object, and I can call validation code on getters. But then I need to provide extra checking to make sure the validation is not called many times.
Maybe I can put the code into the setters, but in Pages.applyConvertedValidatedValuesToModel(), I see the code:
if (object!=null) { valueExpression.setValue(object); }
So if the converted object is null, the setter will not be called. But I can't guarantee that the page param is always not null.Another option is to put the validation code into a method and call it before the action method. But to make get request also calls the validation, I need to also call the validation in page action and define it as not no postbacks. It's not elegant too.
I also tried to put the code into @Create method but as @Create method is always called before a pgae param binding, it doesn't do the trick.
Can anyone give me some hint, what would be the elegant solution for such a scenario? Or did I miss something?
-
2. Re: Business level validation for page params
zaya Jun 5, 2009 2:32 AM (in response to zaya)If I use seam security to restrict the range of the entity ids, I then face the exact problem in this post:
http://seamframework.org/Community/PageRestrictTagAjaxCallAndPOSTParameter
In pages.xml if I write
<restrict>#{s:hasPermission(myBean.myEntity,'idCheck')}</restrict>
Fot get requst it's ok as the 'restore' restriction is bypassed, but for post request this restriction is always checked and it's checked before page params are applied, so it's doomed to fail.
I really think this is the area that seam should improve, there isn't default construct for such a scenario.
Maybe I should write my own phase listeners and call security manually?