This week's book giveaway is in the HTML/CSS/JavaScript forum.
We're giving away four copies of Practical SVG and have Chris Coyier on-line!
See this thread for details.
Win a copy of Practical SVG this week in the HTML/CSS/JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Blog Architecture

 
Vitor Hugo
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So in a full-stack exercise I got bind, ldap, tomcat and postgresql (etc...) running now I want to do this landing page for myself and after just finishing HFSJ here's my initial idea:



Principal = index
New = A page for new posts
Blog would be the main blog page and login is... a login form...

I would like to know if thats a good structure and some other things:

1) Can I use jquery to make all the validations? theres anything that I have to do thats not specified on HFSJ ?

2) Can I use tomcat-users for autorization as mentioned in the book ? I did not really understand why its not good for production...

3) Is it worth it to use spring MVC or Struts to something as simple as this ? ( I dont want to use JSF for now... )

Any kind of input is appreciated!
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1) Can I use jquery to make all the validations?

For client-side validations, yes. But anything you validate on the client you must also validate on the server, because the client side is amenable to hacking.

2) Can I use tomcat-users for autorization as mentioned in the book ? I did not really understand why its not good for production...

Firstly, it's a file, which is generally inconvenient at runtime. You'd have to restart Tomcat every time you want to add or remove a user. A DB is more convenient that way. Secondly, that file stores passwords in clear text - you definitely don't want that. Tomcat's DB realms support storing the password hashed, which is what you should be doing.

3) Is it worth it to use spring MVC or Struts to something as simple as this ? ( I dont want to use JSF for now... )

Maybe FrontMan is for you, then.
 
Vitor Hugo
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For client-side validations, yes. But anything you validate on the client you must also validate on the server, because the client side is amenable to hacking.


A filter implementation for XSS and being careful with the queries for sqli would do it, right? Is there anything else I should be concerned about? I heard about RFI but have no idea what it is...

Firstly, it's a file, which is generally inconvenient at runtime. You'd have to restart Tomcat every time you want to add or remove a user. A DB is more convenient that way. Secondly, that file stores passwords in clear text - you definitely don't want that. Tomcat's DB realms support storing the password hashed, which is what you should be doing.


It would probably only have one user so thats not a problem but I understood your point, with the clear text and all... I'll research about tomcat db realm...

Maybe FrontMan is for you, then


Reading the docs right now, looks exactly what I need.

Thank you very much.
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
being careful with the queries for sql

"Being careful" is not such a good approch when it comes to security - you want to be sure. Not sending raw SQL to a DB is crucial, so use PreparedStatements.
 
Vitor Hugo
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe theres gonna be only 2 or 3 queries, thanks for the tip on the PStatement...

About the db realms, it seems pretty easy to implement and actually really good, I'm loving it...

...and on the frontman, I think I dont have enough knowledge about project patterns to pull it off, I never heard about the command pattern and the lack of examples got me lost for what exactly I should do with the classes... What are command classes ? :| (..or in other words where can I get more info on command pattern with jsp and servlets..)

I read a little about web4j too, but Im thinking about going raw JS and servlets anyway...

Anyway thank you very much.
 
Tim Holloway
Bartender
Posts: 18419
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Update on tomcat-users.xml.

It's true that the original MemoryRealm only read this file at startup and a restart was required to handle changes to it. However around Tomcat6, they added an enhanced Realm or two that is supposed to be more observant of changes.

Still, MemoryRealm and its relatives are best used for testing. Passwords are plain text, you have to have access to the Tomcat server - and the Tomcat directories - to change it. And a really big realm would require a lot of resources to support.

Major production sites often employ a separate group of people to manage corporate IT security. These people often have neither the access rights nor the skills to meddle with Tomcat's innards. So the credentials are typically held in an external database or LDAP directory and an appropriate Realm to access them is configured.
 
PI day is 3.14 (march 14th) and is also einstein's birthday. And this is merely a tiny ad:
the new thread boost feature brings a LOT of attention to your favorite threads
https://coderanch.com/t/674455/Thread-Boost-feature
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!