David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 223 other followers

  • Sleepless Nights…

    May 2022
    S M T W T F S
  • Blog Stats

    • 1,033,665 hits

Archive for the ‘JavaServer Faces’ Category

JSF Security Presentation at OWASP Atlanta Wed Aug 9

Posted by David Chandler on August 8, 2006

Securing JavaServer Faces Applications Against the OWASP Top Ten Attacks

This is a preview of the talk I’ll be giving at ApacheCon US in October.

When: Wednesday August 9th 6:30pm – 8:00pm

Thoughtmill – MapQuest <http://www.mapquest.com/directions/main.adp?go=1&do=nw&rmm=1&un=m&cl=EN&ct=NA&rsres=1&1ahXX=&1y=US&1a=&1c=&1s=&1z=&2ahXX=&2y=US&2a=2520+Northwinds+Parkway%2C+Suite+300&2c=Alpharetta&2s=Ga&2z=30004>
Two Northwinds Center
2520 Northwinds Parkway, Suite 300
Alpharetta, GA 30004
tel: 678.566.4700
fax: 678.566.4861

This meeting is open to public and admission is free.

OWASP Atlanta – our mission as a local chapter of the Open Web Application Security Project is to help promote awareness and contributions to web application security.

Who Should Attend – anyone interested in Web Application Security (management, security architects, developers, etc)

Please RSVP for this event. Send email to cburkeinga “at” hotmail and also Register to OWASP Atlanta mailing list at: http://lists.sourceforge.net/lists/listinfo/owasp-atlanta/

Keynote Speaker: David Chandler
The JavaServer Faces (JSF) API is an excellent foundation for building
secure Web applications because of its component-oriented nature,
carefulness surrounding data validation, and numerous extension points.
Apache myFaces builds on this strength by providing components which
offer built-in protection against many of the OWASP Top Ten attacks
including form parameter tampering and cross-site scripting. In this
presentation, we’ll review how myFaces protects against these attacks
and move on to explore JSF extensions you can deploy to provide complete
protection against the OWASP Top Ten, including forced browsing,
information leakage in select boxes, and unauthorized method execution.
Specifically, we’ll look at centralized approaches to ensuring that
every field and form is properly validated, a phase listener and view
handler to prevent forced browsing and assist with detection of session
hijacking, a customer converter and component to hide sensitive
information such as IDs in menu options, and a JAAS permission checker
for component actions (event handler methods).

Speaker Biography:
David Chandler is a Java Web Architect in Atlanta, GA, where he has been developing a next-generation platform for Internet banking applications. An electrical engineer by trade, Chandler got hooked on developing dynamic Web applications in 1994 and hasn’t looked back since. Having written Web applications in C, perl, ColdFusion, and Java, Chandler is a huge fan of tools like Hibernate and JSF that bring together the robustness and expressiveness of Java along with the speedy development that once belonged only to scripting languages. Chandler holds a patent on a method of organizing hierarchical data in a relational database and is the author of the best-selling Running a Perfect Web Site (Que, 1995).

Posted in JavaServer Faces, Web App Security | 3 Comments »

A PRG Phase Listener for JSF

Posted by David Chandler on August 6, 2006

This post (and blog) has moved to http://learnjsf.com/wp/2006/08/06/a-prg-phase-listener-for-jsf/

Posted in JavaServer Faces | 4 Comments »

Real-World JSF Training Sep 25-26 Atlanta

Posted by David Chandler on May 24, 2006

I’ll be offering Real World JSF with Facelets in Atlanta this Fall, tentatively Sep 25-26 in Alpharetta. The two-day course is hands-on with your own laptop and limited to 15 students. The course will get you started building JSF apps with myFaces and facelets using Eclipse with Exadel Studio (free plug-in).

We’ll move quickly through JSF basics (which will be very familiar to Struts developers) and on to solving real-world problems including

  • how best to use and scope managed beans as view controllers
  • best practices for implementing conditional UI controls
  • minimizing redundant code and improving safety with rich type converters
  • how to validate at the data type, component, form, or page level
  • dealing with the back button
  • securing your app against parameter tampering and forced browsing
  • writing custom tags and converters using facelets auto-wiring
  • adding components to the view programatically
  • exporting files from JSF views
  • using an action listener to implement method security checks
  • how to nest and validate form controls within data table rows
  • building a site layout with facelets templates
  • creating custom tags with facelets tag files
  • adding indirection to custom tags using composition components

If you want to be notified when the course is open for registration, please e-mail turbomanage@gmail.com. The cost will be $900, including materials and lunch both days. You should have some prior background in MVC Web applications development to get the most from the course.


Posted in JavaServer Faces | Leave a Comment »

JSF Tip of the Day: EL Conditional Operator

Posted by David Chandler on May 24, 2006

Do you ever need to convert a boolean value for output to Yes/No (in any language) as opposed to the default true or false that JSF renders? Here’s a nifty way to do it with a properties file and the JSF EL conditional operator. Create a properties file with keys for “true” and “false”. Example:


Then, in your view

<f:loadBundle basename=”path.to.your.properties.file” var=”msgs” />

<h:outputText value=”#{ (myBean.someBoolean==true) ? msgs[‘true’] : msgs[‘false’] }” />

Nifty, huh?


Posted in JavaServer Faces | 7 Comments »

JSF Tip of the Day: Immediate outcomes

Posted by David Chandler on March 30, 2006

Do you ever want to use a button to transition to another view, but don’t need to execute an event handler method? Common examples of this are Cancel and Finished buttons. Rather than writing a dummy method just to return an outcome string that matches a navigation rule, you can simply do this:

<h:commandButton value=”Finish” immediate=”true” action=”return_to_start”/>

When immediate=true, JSF skips the validation, update model, and invoke application phases, so no event handler methods are executed and you specify the outcome string in the action attribute where you would normally put a method binding. To select the next view, JSF will process navigation rules using the outcome as usual.


Posted in JavaServer Faces | Leave a Comment »

MVC and Event-Driven Programming

Posted by David Chandler on September 10, 2005

A dynamic Web application has more in common with a traditional Windows GUI application than with a static Web site. A Web application, similar to any GUI application, typically consists of forms populated with database data. As with any Windows application, forms have action buttons and familiar controls such as check boxes and text input fields. Fifteen years ago, Microsoft revolutionized GUI programming with the introduction of Visual Basic and the event-driven paradigm. Arguably, the industry transition from procedural to event-driven code has been every bit as significant as the transition to object-oriented programming.

Until recently, however, the shift to event-driven programming was completely missed by Web application developers. Most likely, this is because early on, the Web was mostly about sites, not applications. HTTP and HTML are page-oriented, and scripting languages like ColdFusion, ASP, and JSP made it easy to develop dynamic “pages.”

The page-oriented paradigm works fine for small applications with uncomplicated navigation, but it quickly breaks down for large applications with a lot of user input. The root of the problem is one of encapsulation. A typical script “page” contains at least two different kinds of code:

  1. Action code that processes input from the submitted form
  2. Presentation code that displays the result page

These two things do not belong together in the same unit of code. For example, suppose a form has two buttons, one which goes to another form to do some kind of lookup, and one to process the completed form. Regardless of which button is pressed, you want to save the data from the initial form so you can use it later. Typically, the “page” referenced in the form action attribute would save the form data regardless of which button was clicked, then include or forward to a new “page” based on a form variable like a named submit button.

From an encapsulation point of view, there is no reason that the unit of code that saves the form data should have to know about the navigation changes associated with the different buttons on the form. The more complex your navigation, the more apparent this becomes. In one application I worked on, there were hidden variables named “what” (no kidding) and “origWhat” that got copied from page to page to keep track of the user’s page flow. Many pages had code blocks like

if (origWhat = “page x”)
// Came from page A
do one thing
do something else

In essence, this and the previous example are a kind of event-driven programming where each button represents an event, but the navigation rules and processing code are all jumbled up together. Code like the block above is dependent on the preceding page flow, yet the exact nature of the dependency is not clearly visible in the code. Hidden dependencies make code brittle.

Event-Driven Web Frameworks
Enter event-driven Web frameworks like Fusebox, Struts, and JavaServer Faces (JSF). These frameworks decouple event handlers (action processing) from view selection (navigation). This is commonly done by using a navigation rules file that specifies all the page transitions independently of any code that handles events. This is perfectly in keeping with Chandler’s Law of Coupling:

Where dependencies exist, represent them explicitly in one place instead of hiding them in many places.

Of the frameworks mentioned, the JSF navigation controller is the most flexible, allowing you to specify the next view based on the previous view, the event that fired (which button was pressed), the outcome of that event (success, failure, etc.), or any combination of these. In addition, JSF devotes an entire step in the request lifecycle to automatically saving the data from the previous form, so you don’t have to worry about that any longer. More on that in a coming article.

In a nutshell, the event-driven paradigm for dynamic Web applications fulfills Chandler’s First Law of Application Design:

Choose a design paradigm that most closely fits the system you’re trying to model.

Event-driven Web frameworks let you code a Web application more like the GUI application that it really is. If you want robust, maintainable code, you need the right tool for the job.

Controlling Page Sequencing with an Event-Driven State Machine
A State Machine Engine for Web MVC


Posted in JavaServer Faces, Model-View-Presenter | 3 Comments »

%d bloggers like this: