堆栈内存溢出
  简体   繁体   English

在基于企业Java的实际应用程序中应在哪一层进行验证?

[英]At which layer validation should be done in a real enterprise Java based application?

 原文  2016-07-26 09:45:33       java/ spring-mvc/ bean-validation

问题描述

I have worked as a developer in few enterprise applications mainly based in Spring Framework and Java EE (mainly EJB's); 我曾在几个主要基于Spring Framework和Java EE(主要是EJB)的企业应用程序中担任开发人员。 but not at all the layers (view layer is the least I have worked upon) 但不是所有层(视图层是我研究过的最少的层)

Considering a multi-layered application (Client layer, business layer, data layer etc) at which layer the data validation should happen? 考虑一个多层应用程序(客户端层,业务层,数据层等) ,数据验证应该在哪一层进行?

I have heard of Bean validation API viz: JSR 303 ; 我听说过Bean验证API,即: JSR 303 but the validations are performed in the Beans, that is server side (If I understood correct). 但验证是在Bean(即服务器端)中执行的(如果我理解正确的话)。

So in real applications where the validation should happen? 那么在实际应用中应该进行验证的地方呢? Should some validation happen in client layer itself (for example if the view technology used is JSP, should the validation happen in JSP)? 是否应该在客户端层本身中进行一些验证(例如,如果使用的视图技术是JSP,那么验证是否应该在JSP中进行)? If so then what is the advantage of JSR 303 . 如果是这样,那么JSR 303的优点是什么。

It also doesn't make sense to have the data travel from client to server to be rejected because of validations, I am not clear what is the proper approach on the validations. 使数据从客户端到服务器的传输由于验证而被拒绝也没有意义,我不清楚验证的正确方法是什么。

Any explanation in understanding this is well appreciated. 理解这一点的任何解释都很好。

4 个解决方案

解决方案1
 2  2016-07-26 10:20:02

Normally, there are 3 layers in an application. 通常,一个应用程序中包含3层。 Model Layer, Control layer and View layer. 模型层,控制层和视图层。 Each layer has it's validation logic. 每层都有其验证逻辑。

View layer check the validation of user's input data. 视图层检查用户输入数据的有效性。 This check is helpful to user experience and server's performance because it can point out user's invalid input early and avoid of invalid calling of server's interface. 此检查有助于提高用户体验和服务器性能,因为它可以及早指出用户的无效输入,并避免无效调用服务器接口。 The check in view layer should be mainly about user's input check(for example: email format check, password format check etc.). 检入视图层应该主要是关于用户的输入检查(例如:电子邮件格式检查,密码格式检查等)。

Control layer check is necessary too. 控制层检查也是必要的。 This check can avoid of illegal calling of server's interface. 该检查可以避免非法调用服务器接口。 For example, login token is missed or invalid in http request parameter. 例如,http请求参数中的登录令牌丢失或无效。

Model layer check is mainly about data validation. 模型层检查主要是关于数据验证。 View layer checked user's email format, and model layer will check whether the email is registered in application(maybe be the user data is stored in db or cache). 视图层检查用户的电子邮件格式,模型层将检查电子邮件是否已在应用程序中注册(可能是用户数据存储在数据库或缓存中)。

In a word, each layer has it's responsibility and it should do it's data validation respective. 一言以蔽之,每一层都有它的责任,应该分别进行数据验证。

解决方案2
 1 已采纳  2016-07-26 10:09:07

You are correct, Bean Validation API performs validation at the business logic layer, not the client's. 没错,Bean验证API是在业务逻辑层而不是客户的逻辑层执行验证的。 It is also correct that in general, data validation should happen as close as possible to the client, preferably at the client side itself. 同样正确的是,通常,数据验证应尽可能地靠近客户端,最好是在客户端本身。

But sometimes, you just cannot do it there, so you need server-side validation. 但是有时候,您只是不能在那里做,因此您需要服务器端验证。 For example, how can you verify that a login is already taken in a signup page? 例如,如何验证注册页面中是否已进行登录?

Sometimes validation even goes deeper to the data layer. 有时,验证甚至会深入到数据层。 Data integrity constrains, for instance, are data layer validation (referential integrity, nullability, ...). 例如,数据完整性约束是数据层验证(引用完整性,可空性等)。

In conclusion, data validation should be performed at the client side when possible, but sometimes it cannot be done there. 总之,应尽可能在客户端进行数据验证,但有时无法在客户端进行。 So you have to do it in the server-side in spite of the cost of data travelling between client and server. 因此,尽管客户端和服务器之间的数据传输成本很高,但您仍必须在服务器端进行操作。

解决方案3
 1  2016-07-26 10:09:29

Since "Validating input received from the user to maintain data integrity is an important part of application logic", as per my knowledge, web developers are always encouraged to have 2 step data validation ie in UI as well as in the business logic. 由于“验证来自用户的输入以保持数据完整性是应用程序逻辑的重要组成部分”,据我所知,始终鼓励Web开发人员进行两步数据验证,即在UI以及业务逻辑中。 Let me brief you. 我告诉你

  1. Advantage of client side validations is that you have control to warn the user where ever needed, and to show related messages immediately. 客户端验证的优势在于,您可以控制在需要时警告用户,并立即显示相关消息。 But remember to avoid complex logics such as date comparisons as validations because at the backend you will have enough freedom to validate on various constraints. 但是请记住避免使用诸如日期比较之类的复杂逻辑作为验证,因为在后端,您将有足够的自由来对各种约束进行验证。
  2. Its always better to perform backend validation typically on the business layer which can become the strongest part of your application. 通常在业务层上执行后端验证总是更好的选择,这可以成为应用程序中最强大的部分。 This ensures flawless outputs, remember to throw custom exceptions which makes the application look better and make use of existing methods for validations { ex. 这样可以确保输出无缺陷,请记住抛出自定义异常,从而使应用程序看起来更好,并利用现有方法进行验证。 isDigit(), isEmpty() etc}. isDigit(),isEmpty()等}。
  3. At the data layer level, try to minimise validations but sometimes we have to include them if there is dependency on other services etc. 在数据层级别,尝试最小化验证,但是如果对其他服务等有依赖性,有时我们必须包括它们。

Regarding JSR 303, the bean validation, it helps as a stretching hand to simplify the validation of user input fields which are mapped to beans { typically in Spring based applications with REST} 关于bean验证JSR 303,它有助于简化映射到bean的用户输入字段的验证{通常在带有REST的基于Spring的应用程序中}

And regarding your doubt " It also doesn't make sense to have the data travel from client to server to be rejected because of validations " .. it might look so, but its really important to have the flow this way to handle validations involving complex logics and to exceptions better. 关于您的疑问,“ 由于验证而拒绝从客户端到服务器的数据传输也没有意义 ” ..看起来应该如此,但采用这种方式处理涉及复杂的验证的流程确实很重要逻辑和例外情况更好。

解决方案4
 1  2016-07-26 10:28:08

I think that talking about validation is to talk about an approach not about a solution. 我认为谈论验证是在谈论一种方法而不是解决方案。

An approach could be to have for any layer its own validation. 一种方法可能是在任何层都有自己的验证。 Another approach is to have an application agnostic validation. 另一种方法是进行应用程序不可知的验证。 The choice to the former or to the latter one depends on various factors: application complexity, layers design, maintainability, layer reusability. 前者还是后者的选择取决于多种因素:应用程序复杂性,层设计,可维护性,层可重用性。

JSR303 is a type of validation: bean validation. JSR303是一种验证类型:bean验证。

Others validations can be: 其他验证可以是:

  • check against any kind of injection 检查是否有任何注射
  • check for authentication/authorization 检查身份验证/授权

About reusability: if you call a business layer which rely upon client side validation then a call B2B can't use the validation. 关于可重用性:如果调用依赖客户端验证的业务层,则呼叫B2B无法使用验证。

Apart from these considerations there are good advices to follow. 除了这些考虑因素之外,还有一些好的建议可以遵循。 For example don't trust client side validation . 例如,不要相信客户端验证

A client side validation is useful to improve user experience but should not be used as a substitute for server side validations. 客户端验证对改善用户体验很有用,但不能替代服务器端验证。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 应该在哪一层进行验证? - In which layer should validation be performed? 验证应该在3层Entity-Repository-Service应用程序中完成? - Where the validation should be done in a 3 layers Entity-Repository-Service application? 应该在哪里进行业务验证 - Where should business validation to be done NameNotFoundException Java企业应用程序 - NameNotFoundException Java Enterprise Application 企业 Java 实体应该是愚蠢的吗? - Should Enterprise Java entities be dumb? Java,用spring配置企业应用程序和Web应用程序:它们应该共享spring上下文吗? - Java, configure enterprise application and web application with spring: should they share the spring context? 我应该如何构建必须使用Spring和JPA的模块化企业应用程序? - How should I build a modularized enterprise application which must use Spring and JPA? 应该在哪一层捕获异常? - At which layer should exception be caught? 哪个层应该创建一个 HttpResponse? - Which layer should create a HttpResponse? 在heroku上部署Java企业应用程序 - Deploy java enterprise application on heroku
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM