5

for a java web application, normally we need to do validation at front end using javascript and then on the backend using java, some java validation tools like hibernate validator can be used on the backend side, while on client side there're jquery form vaildation,

but the thing is, is there a simpler way to combine the two? such as, when using springmvc with hiberate validator, the front end valiation will be there automatically? thx

Vihung
  • 12,947
  • 16
  • 64
  • 90
hetaoblog
  • 1,990
  • 5
  • 26
  • 34
  • You can add a custom ajax based validator to the validation plugin. – Vishal Sep 04 '12 at 06:39
  • thx, could you be more specific? say, give some example or url? thx. – hetaoblog Sep 04 '12 at 06:41
  • Can you be more specific with your requirement? for sample custom validation using ajax - [see this](http://stackoverflow.com/questions/2628413/jquery-validator-and-a-custom-rule-that-uses-ajax). – Vishal Sep 04 '12 at 06:45
  • so what you are saying is basically doing backend validation but using an ajax call; my question is more about, we'll have backend validation codes and also front end javascript validation codes, which to some extent are duplicate, can we avoid that in some way? such as automatic javascript validation generator from java validation codes? – hetaoblog Sep 04 '12 at 07:03

1 Answers1

2

Don't forget, there are two very different forms of validation.

First, validation to ensure that the user makes sensible entries. Consider the usual password/confirm-password system. The only significance of the confirm-password field is keep the user from accidentally inconveniencing himself.

Similarly, things like checking valid email addresses, required fields, and so forth -- they're just there to make sure the user is entering what he really means.

Second, there is validate to ensure that only legal changes are made to the system. One user cannot change data belonging to another user, employees cannot give themselves raises, and so forth.

Validations of the first kind need only be done in Javascript. The user can defeat them, if he wishes, but he hurts no one but himself.

Validations of the second kind must be done on the back-end. Usually, but not always, there isn't any need to err out gracefully. If the user has weaseled past the UI, or reverse-engineered the AJAX, you don't have to be polite. Just return a 500 and log the intrusion.

There are a few overlaps. For example, if user is creating a (supposedly) unique user-name, that uniqueness check can fail at the very last second, after passing all the Javascript checks, because someone else took a previously unused name.

But that's the exception, not the rule. Most back-end validation is just very thin security or security-like checks, very different from what's done on the front.

Michael Lorton
  • 43,060
  • 26
  • 103
  • 144
  • take email address as an example, is it really correct that this validaiton is only done in front end? suppose someone did some trick to post incorrect data, that may break codes on other pages because some other codes might expect email to be of "****@somedomain.com" format? – hetaoblog Sep 04 '12 at 06:55
  • I certainly think that's a legitimate question, but the answer is "yes". Being unable to send some user mail (because of an invalid address or any other reason) should affect no-one but that user. However, I can imagine other cases where invalid input would affect other users or overall system behavior and in those cases, yes, re-check the input. – Michael Lorton Sep 04 '12 at 22:37
  • 3
    well, actually, i hardly agree with you for first part. to me that looks not defensive enough... so, my question would be, if we need to be defensive enough for do double check on js side and server side, is there a good way to write easy code for only once? – hetaoblog Sep 05 '12 at 02:17
  • Are you making a joke? The whole point of your question is to *write the code once.* Running the same piece of code twice isn't defensive, it's just a waste of CPU. If there's a hole in your validity check, and that hole is compromises the stability of your back-end, running that inadequate validity check on the front-end too isn't going to help. – Michael Lorton Sep 05 '12 at 04:34
  • 1
    first, my question is about how to 'write the code once' for jav aside and javascript side; however, in terms of validation, I do think both sides check are needed for most of the times. they're for different purpose, client side check is for user friendness, while server side is to protect the system from dirty data by whatever reasons; the double check is not a waste; actually, it's exactly why i've raised this question, because i think double check is needed for different purpose. your answer is more about elimating one side check depending on cases, not giving a 'write once' solution. – hetaoblog Sep 05 '12 at 05:37
  • That's true. The answer to the *real* question ("How do I write the code to be run on the client side for user-friendness, and on the server side for security?") is "Write it in Javascript and then use Rhino or other Java-based Javascript interpreter to run the rules on the server side." But don't forget what I said. – Michael Lorton Sep 05 '12 at 21:00
  • thx a lot. you're proposing one solution to the real question. however, to some extent i'm more looking forward to solutions in the other direction, such as with hibernate validator or so on, so far, is there a way to generate client side javascript vilidation codes ? or is there an open source solution already? – hetaoblog Sep 06 '12 at 02:51
  • 1
    To bring this conversation into 2015, validation on *both* sides is *very* common now, since more and more functionality is moved into the client. And this makes sense; the back end *must* ensure validity, but the front end usually needs at least *some* of the same validity checking. – Dave Newton Jun 17 '15 at 14:06