• Post Reply Bookmark Topic Watch Topic
  • New Topic

Ignore type conversion errors with EL

 
Daniil Sosonkin
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi folks,

A small question on whether it is possible to do or not. My application is being checked for bugs and such right now. One of the "issues" has to do with data conversions in JSP using EL. Lets say a page number is passed on to JSP page via URL: ?page=XXX. This page is then being converted into an integer value to be passed on to a bean. But lets say a "malicious" user plays with the URL and puts in ?page=abc444 or ?page=200000000000000000000000000. In both cases that causes an exception to be generated which the clients don't like. In a cases such as these, is it somehow possible to make EL simply convert bad number into a 0 (zero) and ignore any errors? I mean - I really don't care for the number that cannot be converted into an integer. My other solution is to rewrite the beans to accept Strings and do the checking myself, but I really would like not to pollute the code like that.

Any suggestions?

Thanks in advance
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
which the clients don't like

So your clients are expected to act like malicious users?
I wouldn't worry about it after all. They are asking for the error themselves and they will get error too.

At any way, a solution is hard to give as it is not clear how you implemented this logic. There are many ways to achieve this.
 
Daniil Sosonkin
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bauke Scholtz wrote:
which the clients don't like

So your clients are expected to act like malicious users?
I wouldn't worry about it after all. They are asking for the error themselves and they will get error too.

At any way, a solution is hard to give as it is not clear how you implemented this logic. There are many ways to achieve this.


Well, the idea is I'm able to handle the errors gracefully. In this particular incident, instead of displaying a general site error I would display the very first page. In another instance, such as an order entry and keyboard got stuck on quantity or a fat finger, I would display quantity has to be greater than zero.

If you have suggestions, please.
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Clear.

At any way, a solution is hard to give as it is not clear how you implemented this logic. There are many ways to achieve this.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Validate the values in the JSPs page controller prior to forwarding to the JSP.


 
Daniil Sosonkin
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Validate the values in the JSPs page controller prior to forwarding to the JSP.




The exception tree is as follows:

javax.servlet.jsp.el.ELException: An exception occured trying to convert String "4555555555555" to type "int"
org.apache.commons.el.Logger.logError(Logger.java:481)
org.apache.commons.el.Logger.logError(Logger.java:498)
org.apache.commons.el.Logger.logError(Logger.java:566)
org.apache.commons.el.Coercions.coerceToPrimitiveNumber(Coercions.java:440)
org.apache.commons.el.Coercions.coerce(Coercions.java:332)
org.apache.commons.el.FunctionInvocation.evaluate(FunctionInvocation.java:167)
org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEvaluatorImpl.java:263)
org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEvaluatorImpl.java:190)
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:917)
org.apache.jsp.secure.research.news_005fajax_jsp._jspx_meth_c_set_0(news_005fajax_jsp.java:143)
org.apache.jsp.secure.research.news_005fajax_jsp._jspService(news_005fajax_jsp.java:112)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:334)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:246)
...SecurityFilter.doFilter(SecurityFilter.java:98)


My thinking is to change that Coercions.java file. Haven't checked whether source is public or not yet. Maybe a better way?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sigh.

Once again: you need to elaborate HOW you implemented this logic. Only then we can give a more detailed and suitable answer how to solve it.

Are you just aksed to fix someone else's code without having any basic knowledge about the stuff under the hood?
 
Daniil Sosonkin
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Right now the logic is to throw an exception when a string cannot be converted to a target number type. My logic is to silently ignore the exception and return some default value such as 0 (zero). Maybe also log an error as a warning.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65530
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ummm, changing standard code is never a viable option.

You do have page controllers, no?

Your continued refusal or inability to elaborate on your code structure places this post in peril of being unsubscribed by those who would help you.
 
Daniil Sosonkin
Ranch Hand
Posts: 76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its a plain JSP code. I don't know what page controller is, to be honest. So far I'm concentrating on the exception, maybe should look into something else. Let me give you a snippet:

<c:set var="news" value="${o:getNews(quote, param.start, 20)}" scope="request" />

Where getNews is defined as:

<function>
<name>getNews</name>
<function-class>com.Quotes</function-class>
<function-signature>java.util.List getNews(com.Quote,int,int)</function-signature>
</function>

The function already takes care of all illegal values for all its parameters. Anything that I'm missing?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!