steve claflin

Ranch Hand
+ Follow
since Dec 04, 2008
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by steve claflin

I'm trying to create a general-purpose report generator, where there is a specific report criteria class that ties to a specific report generator. I have a marker interface for the criteria. Individual criteria classes implement this interface:

I then have an interface for the report generators

I want to store the generator for each criteria type in a map, keyed by the class object for the criteria type

The actual generating is done by:

which will use criteria.getClass() to get the class object to pass to the map.get(). That will retrieve the generator for class T, which knows how to get the values from T to generate the report.

I couldn't find a way to write a HashMap declaration that would work without @SuppressWarnings annotations, the avoidance of which is one of my goals (at least in the code I expect my users to write - if I really need an annotation in my framework code, and know that I've prevented bad casts, that's OK). So I ended up with my own class that behaves like a Map:

I'm willling to live with the warnings suppression because I know that the put method enforced the class relationship when an item was added. Like:

where BillingDetailReportCriteria implements ReportCriteriaInterface, and BilllingDetailReportGenerator implements ReportGenerator<BillingEntryDetailReportCriteria>

So, all good so far. But, I can't find a way to actually use the map and generate my report without so kludging:

Issue #1 was that an error was flagged until I added the cast in the line with issue #2

Issue #2 is that adding the cast required that I suppress warning for unchecked.

I'd like to avoid the suppressing warnings, because this is code I expect the users of the class to write.

Note that I could have done the block as

if I added suppression of rawtypes warnings as well.

So, is there any way for me to write this in a type-safe manner, while avoiding the warnings suppression when using the generators?
5 years ago
I personally haven't thought about the static vs instance methods and JSNI, although it seems that there might be uses for both to be pushed out to the window.

One situation where I've used this concept is in apps that are popups, which going to be hosted in other sites' pages and invoked via a click on one of their page elements. I have no control over their page structure, and even asking for an element with an id that I could wrap as a widget is a bit more than I'd like to do. If I can just tell them "Add onclick='xyz()' to whatever page element you want to be the trigger, that leaves them free to design the page as they see fit, using an a tag, img tag, etc. as the trigger. I can then push the function that shows the popup out to $
6 years ago
Sorry about being not very specific - I was thinking of Ajax requests, and the types of preventative measures like that discussed in (page 29)

or (page 23)

From other posts I've seen (plus the number of sites I go to that now append a junk parameter to the end of the request urls if I view my network traffic), I've been assuming that if the server and I both agree on what the "unpredictable" component is, and it was determined uniquely for this session, then someone reading the code in advance won't know what url we'll actually be using. But, the knowledge of that extra value is still going to be somewhere in the code, like held in a variable (or maybe using a function to adjust the url). So, if they can inject JS code based on the existing code, then they could see that token, or invoke the url-adjusting function, unless those elements aren't part of the window object.
I think you're running into the slippery nature of "this" in JS.


I wrote this based on your code from working code I have - hopefully I transmuted it to your case correctly.
6 years ago
The current thinking is that urls should be unpredictable. But, it seems to me that any logic to do that is going to have some predictable path to find out what the "extra" information is. It would have to be in a JS variable at some point, and then injected script could access it.

That leads me to think that any code dealing with that unpredictability ought to be wrapped in a self-executing anonymous function in order to provide a variable space that isn't accessible from the outside. Is that a reasonable conclusion, or is there some other way to ensure that the logic related to the token can't be accessed?

Eric Pascarello wrote:um, isn't that if statement saying you do NOT have it?

Shouldn't it be !==?


Ummm ... oops, you're right. That's what happens when you try to type beyond your capabilities

The actual code I tested had the !== and reported the object was present. Firebug also lets me see the object. I assume that's so FF can create the event object when running on a capable device.
The standard line in every blog, tech article, etc., that I've seen on this goes something like this:

So, first thing I do is open that page in FF on my PC, and, lo and behold, it says we have motion. And, even the MDN docs say that the above code is the correct test.

But, it seems like I'm testing for the existence of the constructor for an event object, not a capability of the device. And, unless the browser is actually going to conditionally define the constructor, it makes sense that it would always be there. I wonder if the test should be something like that below, based on the hope that the interval is a static property gleaned from the actual device. (Unfortunately, my phone doesn't support motion, so I don't have a way to test this.)

If not, then what is a correct test (one that will not report motion capability in FF in a device that doesn't have motion capability)?

Thanks for the comments. It seems like the world in general is loathe to describe the anatomy of a hack, so I'm left to my own imagination. And I'm trying to figure out a hack that would use real-time, programmatic access to a remote server, as opposed to store-the-credentials-and-come-back-later access.

Also, it seems to me that if the concept that the conceivers of CORS wanted was "Control of Origins of Requests to my Server", then that's what they should have named it, instead of Cross-Origin Resource Sharing. To me, the concept of "Cross-Origin" would apply to whose server my page can contact, in addition to whose page could contact my server.

Am I wrong that there is a whole family of possible hacks involving injecting JS into a page from that could then open an XmlHttpRequest to and send foo's cookies, etc., to bar? And, if so, wouldn't it be reasonable that there be a header foo could send with a page that listed allowable destinations for requests?

Not all widgets use primary styles, in particular many panel types. For HorizontalPanel, there is nothing that would need to be set for its style for general use. And it wouldn't necessarily be good for Google to have set a primary style, since the same class might be used multiple times within an app for totally different purposes. BTW, the Javadocs usually list the styles used by a widget (but unfortunately, not always). But, if there is no rule in the CSS, then GWT isn't going to bother setting a primary style.

If you want a primary style for a DockPanel, you can either manually set it for each instance, as you did, or extend DockPanel with a new class that sets its own primary style with its own name.
7 years ago
Maybe I've got it all wrong, but I always thought that the cross-origin threat was that JS injected into my page would send sensitive data, like cookies or the contents of a form, to a third-party server. CORS seems primarily interested in making sure someone else's pages don't contact my server.

If I've got a malicious site, you can bet that I'm going to set the acceptable origin header to *. And, the W3C docs say that the origin can't be spoofed, unlike referer. I assume that's because the user-agent doesn't allow setting that header. But, if I was a hacker, one of the first things on my todo list would be to write my own browser, and then I could send whatever headers I please.

Wouldn't it make more sense that when I deliver a page to the browser, there is a header indicating what domains a request can be sent TO?

Kevin Workman wrote:Why don't you just pass the Enum array returned from the values() method?

Because that doesn't seem very user-friendly if I'm providing a tool as part of an API. For the task "I'd like a set of radio buttons (or a combobox) representing all the options in an Enum", it seems most natural to pass the enum class itself.

I finally did get a version that worked, using java.util.EnumSet:

9 years ago
At first glance, I thought thaty Harshana's code would work with an explicit typecast. But, even though you can successfully turn an Object[] into a String[], it must have been originally created as a String[]. Merely containing only strings is not enough.

The commented out cast of objStrs1 fails because the original type of the array as an object is Object[], while the type instantiated for objStrs2 was String[]. You can see from the class name printouts that the class of objStrs2 is known to be String[], thus allowing the typecast to succeed.
9 years ago
I'd like to pass any enum to a function and use the values array. But, since that method is not inherited, I can't find a way to do that.

Something like:

Right now I'm accomplishing this by looping through the enum in the code that calls this, building an ArrayList<String>, and passing that to an appropriate constructor. But, I'd rather not require users to do the prep work if it can be avoided.

I think that I could use a Class object with reflection to find the values method, but would then need to figure out what the right class declaration type parameter is, and what the right constructor parameter type is, so that I could limit it to enums.
9 years ago
The constant XMLReader.REPORT_IGNORED_ELEMENT_CONTENT_WHITESPACE_FEATURE is not recognized by the compiler.

I've got 1.6.0_20, and the latest is only 21. The fixes page for that release doesn't mention anything about this. Also, the XMLReader constant you mentioned doesn't exist for my version. (In fact, the only Google listing for it is this thread )

I've been trying to find more info on the bug you described - do you have a link or bug id that could shed more light on it?