| Title: DataObjectUtils |
| |
| <P>DataObjectUtils class provides an important and easy to use facility to obtain a primary key value from a DataObject and to locate a DataObject in the database for a known primary key. Both operations work in a generic fashion and do not require primary key to be an object property.</P> |
| |
| <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="http://cayenne.apache.org/docs/3.0/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Security Warning</B><BR>DataObjectUtils make it very easy to use a primary key value as a universal "code" for an object in web forms and URLs. This opens a potential security hole in the interface. If application code is not careful enough, a malicious user can gain access to the information she is not allowed to see (e.g. other people's accounts) simply by trying a series of sequential numbers. So, for example, it is probably okay to use product PK to build a bookmarkable link to a catalog product, but it may not be appropriate to do that for a private user profile record.</TD></TR></TABLE></DIV> |
| |
| <P>DataObjectUtils API is really straightforward and self-explanatory. It supports the most common case of a single column integer primary key, but also a more generic case of an arbitrary PK (that can also be compound, i.e. consist of more than one column). Here is an example:</P> |
| |
| <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent"> |
| <PRE class="code-java"> |
| <SPAN class="code-comment">// obtain PK to build a bookmarkable artist page URL |
| </SPAN>Artist artist = ...; |
| <SPAN class="code-object">int</SPAN> artistID = DataObjectUtils.intPKForObject(artist); |
| <SPAN class="code-object">String</SPAN> artistURL = <SPAN class="code-quote">"http:<SPAN class="code-comment">//www.example.org/catalogapp/artists?a="</SPAN> + artistID;</SPAN> |
| </PRE> |
| </DIV></DIV> |
| |
| <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent"> |
| <PRE class="code-java"> |
| <SPAN class="code-comment">// find an artist from URL parameters |
| </SPAN>HttpServletRequest request = ...; |
| DataContext context = ...; |
| <SPAN class="code-object">String</SPAN> idString = request.getParameter(<SPAN class="code-quote">"a"</SPAN>); |
| |
| <SPAN class="code-keyword">if</SPAN>(idString != <SPAN class="code-keyword">null</SPAN>) { |
| Artist artist = DataObjectUtils.objectForPK(context, Artist.class, <SPAN class="code-object">Integer</SPAN>.parseInt(idString)); |
| } |
| </PRE> |
| </DIV></DIV> |