Вы находитесь на странице: 1из 9

ATG Form Handler Best Practice

These guidelines lay out some suggestions, strategies, and direction for making the best use of form handlers with ATG. The intent here is to provide developers with some insights and structural suggestions distilled from the long hours of many people hunched over their monitors and keyboards. The goal is simple to provide guidelines that will lead to leaner, easier to debug, and easier to extend implementations of ATG user interfaces. Since form handlers act as the focal point for all user supplied data entering the system from the open nternet, their effective structuring is key to the overall long term health of the system.

General Guidelines
!. "ach and every form should have an associated form handler. This doesn#t necessarily imply a custom form handler these could be an instance of the $rofile%orm&andler or even the 'epository%orm&andler. (. )ustom form handlers should be !*! with custom forms. +on#t attempt to reuse form handlers across multiple forms. ,eep it simple. -. %orm handlers may be either re.uest or session scoped, with strong preference given to re.uest scope. n general, if the form is used very fre.uently it may be session scoped so as to avoid instantiating new copies. &owever, when session scoping is used then tighter maintenance of instance variables must accompany that /and session scoping form handlers is the exception0. 1. Session scoping of form handlers should never be used to achieve session persistence 2 that#s what manager components are for. 3. %orm handlers should only reference components that are scoped at the same or more general scoping as themselves /for example session45session, session45global0. +on#t use the nucleus resolve6ame/String componentName0 method to avoid fixing bad scoping decisions7 this method is extremely expensive and should only be used when it can#t be avoided /which is generally when a pipeline component needs access to session data0. 8. %orm handlers should never reference properties or call methods in other form handlers. f multiple form handlers share some information, that information is generally persisted for the session and should be managed out of a common, shared manager component. 9. The function of the form handler is to*

ATG Form Handler Best Practice Page 2 of 9 a. intercept and cause form field values to be validated prior to a handle method calling the pertinent action method in the manager component. b. provide information for form widgets such as selection lists, radio buttons, etc. c. provide structured data on demand /ex. :son or xml for A:ax widgets0 d. provide feedback to the ;S$ so that field errors can be reflected by to the consumer in such a way as to assist them with fixing the errors easily e. supply data to manager components f. exercise methods in validator components that ensure that the field values supplied by the user are consistent with business guidelines and needs g. exercise methods in manager components that persist data and<or exercise system function in response to action re.uests =. All validation business logic should be contained in a validator component that is called from a handle method in the form handler. >. %orm handlers should contain no business logic. "ven the validation of form field values should be externali?ed in either a manager component or a validator component as best befits the application. !@.All user supplied data values should be accepted via form fields. +on#t use droplets, nucleus components, or web services as a Ashort cutB to forms. The reason that these can sometimes be easier is that they bypass things like field security, cross system scripting defenses, automatic encoding and decoding, validation layers, before and after set logic, etc. Ces, they are faster. n the same way that the fastest way to get from the overlook to the bottom of the Grand )anyon is to :ump off of the rim. The :umping is easy 2 it#s the landing that brings the pain.

Implementation Details Requiring Consistenc


!. 'eturn false at the end of the handle methods if you want to stop the form submission re.uest /which will be for the AactionB attribute of the form0 from being processed. 'eturn true to redirect to a success page. (. Avoid setting the successD'E, errorD'E, and other pages used for redirection in the ;S$<form. nstead set them in the form handler#s properties file. &aving them in the form exposes the site to cross4site scripting FGSSH attacks. -. Ihen binding input fields that are not submit buttons or images, make sure to set the priority of the field to A4!@B so that it gets invoked after all of the setters have been called.

ATG Form Handler Best Practice Page ! of 9

T"e #$P Pattern


%orm handlers provide an instance of a $resenter element of the JK$ pattern. They supply values for control widgets exposed by ;S$#s and manage the exchange of form data. deally, they are the only means of ac.uiring data from the web site user and supplying it to business components /droplets and tags being outwardly oriented only0. %orm handlers have no knowledge of business logic, but they do have enough knowledge of where that logic AlivesB so as to direct actions to it. The following diagram illustrates the JK$ pattern with ATG user interfaces and where the form handlers are positioned in their role. n the diagram you will note that although A:ax can be used to exchange information with web services directly, that is not considered best practice for web applications serving users on the open nternet. The issue with calling web services directly, rather than obtaining their services through corresponding form handlers, is that it exposes the site to various forms of cross site scripting attacks. ATG has added an increasing amount of scripting attack mitigation support into the form handlers, most recently with release >.@. )alling web services /or any nucleus component0 directly from the ;S$ bypasses this support.

ATG Form Handler Best Practice Page % of 9

ATG Form Handler Best Practice Page & of 9

T"e Form Handler Pattern T"e Complete Pattern

Form the &TJE form that is being instrumented by the ;S$. Form Handler the form handler component that receives field and action submissions and from which control widgets may receive their values. Form $alue '()ect a value ob:ect /or container bean0 that contains the set of field values that are associated with this form. ,eeping these values in a common container makes it easier to pass them as a bag into a related validator or manager component. Field $alidator a service component that validates the field values supplied by the form, including the application of business4specific logic. An example of such logic might be what states are serviced in a given country, which fields are mandatory in what combinations, etc. The field validation implementation may exploit a common validation utility housing business rules used across the site.

ATG Form Handler Best Practice Page * of 9 Business '()ect $alue '()ect a container for sets of values that are aligned with specific business ob:ects. An example is the Lrder&older, which contains all of the information about an order. #anager the manager contains the business logic supporting the actions to be taken given that constraints are met, levels of persistence and caching specific to the form or application,etc. Repositories where all knowledge can live forever.

+ample ,- T"e simplest form "andler

This form contains no form fields, just one or more submit buttons. Common Usage Checkout confirmation page Landing page Redirection page (ex. Language selection)

ATG Form Handler Best Practice Page . of 9

+ample 2- A common form "andler

One or more form fields, one or more submit buttons. Common Usage ddress maintenance page !roduct detail page Checkout billing"shipping page

ATG Form Handler Best Practice Page / of 9

+ample !- A series of related forms

#e$uence of related pages %ith multiple form fields, multiple submit buttons. Common Usage Checkout m& ccount #ubscriptions management

Form Handler Anti0Patterns Form Handler #as"01p2s


Jany form handlers start out small, with only a few input fields, a few controls, and an action button or two. So as a conse.uence all of the validation and manager logic is mashed together in the form handler implementation itself. Since all of that logic is mashed together, there was no reason to use a form /value ob:ect bean0 to contain the form field values. And then the new re.uirements poured in 2.

ATG Form Handler Best Practice Page 9 of 9

3ot 45tending a +peciali6ed Form Handler +upplied ( ATG


ATG provides a bevy of form handlers for all kinds of speciali?ed forms user profile, orders, payment groups, inventory, repository, etc. n fact, there are hundreds of them at last count. "ven though form handlers can be loads of fun to write, that#s not why there are so many. t#s so that developers can use or extend the one closest in functionality to their application needs. +on#t write extend.

Form Handlers Referencing 't"er Form Handlers


This is where one form handler has as a property another form handler. tMs difficult to stress :ust how bad this structure is 4 form handlers are components which are designed to be called from pages, and often perform additional initiali?ation to that which is carried out by 6ucleus /the initiali?ation from .properties0 in the beforeSet and afterSet methods. These wonMt get called if you invoke the form handler from within another form handler, forcing you to write extra code to perform the functions that you would normally get Afor freeB from 6ucleus.

7"at2s #issing from t"is Document8


This document is incomplete. &ere#s what needs to be added... !. A complete dictionary of all of the form handlers included by ATG as public A$ #s. deally this would include the typical :ava doc, a few simple reference implementations, and a hierarchical diagram showing their interrelationship in a concise fashion. (. A list of the form handlers that are not intended to be a part of the public A$ , but that are exposed because of the way that ATG#s own D #s are written or for backward compatibility. -. Nest practice direction for using A:ax, %lex, and Air with ATG. / #m working on the A:ax portion of this, but it won#t be ready for viewing for at least several more weeks.0