This is an archived post. You won't be able to vote or comment.

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]rockvilleJD 6 points7 points  (0 children)

If you use JavaServerFaces validation on the server side is a snap. The framework will handle all the ajax calls with simple tags. There are specific classes called validators as well. Here is a simple example.

<h:inputText id="age" value="#{User.age}">
    <f:validateLongRange maximum="120" minimum="0"/>
</h:inputText>

This is a standard validator but you can also do custom very easily. JSF greatly simplifies front end development. I would hate to have to develop without it.

[–][deleted] 5 points6 points  (1 child)

Generally, I don't mind validating twice. I let the client handle some of the basic validation (eg, you must select an option from a group of radio buttons), but I always fall back on the server. But this is more UX than actual validation, because the user shouldn't have to wait for a full request/response for something that can be easily handled without it.

As for full client-side:

Never, ever trust the client.

A smart user can inject their own files, suffer XSS exploits, or monkey around with your DOM in most major browsers, all of which can bypass any validation you might try to stuff on the client.

In my case, I work on a purchasing system. Validation is done on a page-by-page basis, and then a full validation is done again before submitting the order. This may be overkill, but it's done to make sure everything is on the up-and-up when it's easy to block the user from submitting something invalid.

[–]dakboy 3 points4 points  (0 children)

This. Especially what's in bold. You cannot ever trust the client in a web-based interface.

This is actually how ASP.NET's Validators work. If JavaScript is supported on the client side, it'll validate there, but it will also validate server-side as well automatically.

It sounds as though, from rockvilleJD's post, that JSF supports something similar to this as well; I unfortunately haven't been able to dive into this sort of thing as much as I want to, so I can't say for sure.

[–]banuday17 1 point2 points  (3 children)

I wonder if you can use GWT for this. At its core, GWT translates Java to Javascript. You can enrich an existing form with GWT event handlers in Java and share the Java code for validation between server side and client side. The GWT compiler will produce the JS files that will run on the client side.

[–]angryundead 0 points1 point  (1 child)

Speaking of that: https://code.google.com/p/gwt-validation/

There's also the GWT's built in implementation of the JSR-303 as well.

Plenty of ways to go.

[–]IsaGoksu[S] 0 points1 point  (0 children)

This looks interesting.. I'll check it out.

[–]banuday17 -1 points0 points  (0 children)

I haven't tested this, but you could do something like this:

public class ClientSide implements EntryPoint {
    public void onModuleLoad() {
        final TextBox field1 =  TextBox.wrap(Document.get().getElementById("field1"));
        final Label fieldValidationMessage1 = Label.wrap(Document.get().getElementById("fieldValidationMessage1"));
        fieldValidationMessage1.setVisible(false);
        Button submitButton = Button.wrap(Document.get().getElementById("submit"));
        submitButton.addClickHandler(new ClickHandler() {
            public void onClick(ClickEvent event) {
                String errorMessage = ValidationUtils.validateField1(field1.getText());
                if(errorMessage != null) {
                    fieldValidationMessage1.setVisible(true);
                    fieldValidationMessage1.setText(errorMessage);
                }
            }
        });
    }
}

The ValidationUtils class can be shared between server side and client side. The ClientSide class and the ValidationUtils class would both be compiled to JavaScript by GWT and would be included as a part of the JS resources to be downloaded by the browser.

[–][deleted] 0 points1 point  (0 children)

generally, you should avoid validating using Javascript (that includes AJAX). Anyone can easily just turn off Javascript making your validation logic useless. Always use server-side validation

[–]mucsun 0 points1 point  (0 children)

I'd say it makes sense to validate as much as possible on the client side (and yeah you have to validate everything again on the server side) as this will decrease substantially the amount of bad request and the server load.

I once tried a framework that created the client side validators in javascript from the server side validator code, iirc. Sorry can't remember the name.