Re: [Fwd: Param validation]

From: Dhanji R. Prasanna <>
Date: Mon, 30 Jul 2007 21:34:40 +1000

The JSF spec's validation subsystem is horribly conceived and redacted in
patchwork from spring validator and thus difficult to translate to jsr311.
I think we would be better served allowing flexible integration with jsr303
(bean validation spec) with something like the following:

1. inject params via annotations
2. user explicitly binds params to model bean and invokes 303 runtime


2. specific containers (perhaps JEE only) can allow 303 validation metadata
to sit on injection params and be invoked in the background by the container
runtime (and its hookup to 303).
For example:

public Response get(@NotNull @URIParam("name") String name) { .. }

Coordination with jsr316 would be prudent in the latter case (I offer to
undertake the responsibility as I am on both 303 and 316 EGs). As as aside
I am trying to encourage JSF2 (JSR-314) to take a similar approach.


On 7/30/07, Paul Sandoz <> wrote:
> Hi,
> Is this something we need to consider? (see attached)
> Paul.
> --
> | ? + ? = To question
> ----------------\
> Paul Sandoz
> x38109
> +33-4-76188109
> Perhaps this is more appropriate for the JSR311 mailing list so forgive me
> for posting this here.
> I was reading a new IBM article on injection attacks today and it got me
> to thinking about how I will perform validation on my JSR311 application. I
> looked at the spec and didn't see parameter validation as a goal or non
> goal. I was curious on what are peoples opinions on this? Should parameter
> validation be application specific, handled as an extended feature of the
> JSR311 implementation, or be incorporated into the JSR311 spec like
> validation is in the JSF spec?
> ------------------------------
> Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user
> panel<*>and lay it on us.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail: