2 Replies Latest reply on Jun 5, 2009 2:32 AM by Yenan Zhou

    Business level validation for page params

    Yenan Zhou Newbie

      I need to check the business level validation for page params, and when the rule is validated, the page is redirected.


      For form validation, I can just put the code inside action method. But for page params as the validation is also required for get request, I don't know where would be the best place that I can write the code.


      Actually, I want the validation happens after the update model phase and before the invoke application phase in both get and post request. Is this possible?

        • 1. Re: Business level validation for page params
          Yenan Zhou Newbie

          Let me clarify my problem.


          I use page param to map id of entity to the entity object in the backing bean. Due to security reasons, I need to restrict the id range of the entity that the page is allowed to be accessed. Currently I use converter to convert ids to entity beans.


          I know there is validator binding in pages.xml, but as the logic is tightly associated to each page or backing bean, it's much reasonable to put the code into the bean if possible, or I need to create many non-reusable validators. Also if I use validators I can't access other page params.


          The best option I can see is seam can make action method executed before update model phase. Like

           <action execute="#{myBean.validatePageParams}" preUpdateModel="true" />
          



          I'm just curious what makes seam think an action method should only be executed before the rendering phase?


          Fot a workaround, I know there is Home object, and I can call validation code on getters. But then I need to provide extra checking to make sure the validation is not called many times.


          Maybe I can put the code into the setters, but in Pages.applyConvertedValidatedValuesToModel(), I see the code:

          if (object!=null)
          {
              valueExpression.setValue(object);
          }
          


          So if the converted object is null, the setter will not be called. But I can't guarantee that the page param is always not null.


          Another option is to put the validation code into a method and call it before the action method. But to make get request also calls the validation, I need to also call the validation in page action and define it as not no postbacks. It's not elegant too.


          I also tried to put the code into @Create method but as @Create method is always called before a pgae param binding, it doesn't do the trick.


          Can anyone give me some hint, what would be the elegant solution for such a scenario? Or did I miss something?

          • 2. Re: Business level validation for page params
            Yenan Zhou Newbie

            If I use seam security to restrict the range of the entity ids, I then face the exact problem in this post:


            http://seamframework.org/Community/PageRestrictTagAjaxCallAndPOSTParameter


            In pages.xml if I write

            <restrict>#{s:hasPermission(myBean.myEntity,'idCheck')}</restrict>



            Fot get requst it's ok as the 'restore' restriction is bypassed, but for post request this restriction is always checked and it's checked before page params are applied, so it's doomed to fail.


            I really think this is the area that seam should improve, there isn't default construct for such a scenario.


            Maybe I should write my own phase listeners and call security manually?