Re: [Actionframework-users] parameters to output-variable methods

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

 > ah, ok.  that wasn't clear from the tutorial.  i guess the tutorial
 > showed that you could put $xxx as the value, i didn't make the leap
 > to assume i could use them as parms in a method call though.  i was
 > expecting the calls there to work like the 'method' attribute of the
 > 'action' element.

I will add an example to Sections 1.5.5.2.1 and 1.5.6 in the spec.

 > just as an aside, does putting a reference to the context IN the
 > context open one up for a memory leak?  or is the vm smart enough to
 > know if a reference to something is from something that is ready to
 > be destroyed anyway?

I guess the Context is garbage collected after the template is rendered,
but that's up to Velocity/WebMacro.

 > i suppose putting a reference to the context in the context isn't a
 > real security concern, you couldn't use that reference in the
 > template to do anything that a template wouldn't be able to do
 > otherwise, would it? the context to a template is almost like the
 > 'this' pointer in a method i guess, you always use it whenever you
 > use a '$' operator anyway.

The context hold only values from request and those set by the
application, so I cannot think of anything that might be a security
issue. Unless you process someone else's templates (example: custom
skins downloaded from an arbitrary URL), you shouldn't worry.

Btw, in my app I run all HTTP requests through JAAS - servlet overrides
handle() method:

public Template handle(final HttpServletRequest request,
                        final HttpServletResponse response,
                        final Context context) {
     // run this request on behalf of the current user
     try {
         return (Template)
         AccessController.doPrivileged(new PrivilegedExceptionAction() {
             public Object run() throws InvocationTargetException {
                 return MyServlet.super.handle(request,
                                               response,
                                               context);
                 }
             }, ((Auth) getComponent("authenticator",
                                     true)).getContext(policy));
         } catch (/* exceptions */) { /* ... */ }
     }

Auth is a subclass of Authenticator from JAASModule
(http://dione.zcu.cz/~toman40/JAASModule). This ensures that the user
must have a permission for anything s/he is doing.

 > thanks for taking the time to answer these, i'm slowly getting my
 > head everything!

You're welcome! :)

Petr
-- 
[ http://dione.zcu.cz/~toman40 - Pet...@pi... - ICQ=22957959 ]