Interface VelocitySupport

public interface VelocitySupport

Velocity context variables

The Smart GWT Server provides a number of standard context variables for use in the Velocity templates you write to implement custom queries, transaction chaining, dynamic security checking and templated mail messages. These are: All of these variables (other than the two dates) represent objects that can contain other objects (attributes or parameters or object properties). The variables based on the Servlet API (session, sessionAttributes, httpParameters, servletRequest and requestAttributes) all implement the Map interface, so you can use the Velocity "property" shorthand notation to access them. The following usage examples show five equivalent ways to return the value of the session attribute named "foo":
In the case of $servletRequest, the shorthand approach accesses the attributes - you need to use either $httpParameters or $servletRequest.getParameter to access parameters. These examples all return the value of the HTTP parameter named "bar":
When you use these Velocity variables in a customSQL clause or SQL snippet such as a whereClause, all of these template variables return values that have been correctly quoted and escaped according to the syntax of the underlying database. We do this because "raw" values are vulnerable to SQL injection attacks. If you need access to the raw value of a variable in a SQL template, you can use the $rawValue qualifier in front of any of the template variables, like this:


This also works for the $criteria and $values context variables (see CustomQuerying for details of these variables). So:


Note that $rawValue is only available in SQL templates. It is not needed in other contexts, such as Transaction Chaining, because the value is not escaped and quoted in these contexts.

Warning: Whenever you access a template variable for use in a SQL statement, bear in mind that it is dangerous to use $rawValue. There are some cases where using the raw value is necessary, but even so, all such cases are likely to be vulnerable to injection attacks. Generally, the presence of $rawValue in a SQL template should be viewed as a red flag.

Finally, some example usages of these values. These values clauses set "price" to a value extracted from the session, and "lastUpdated" to the date/time that this transaction started:

  <values fieldName="price" value="$session.somePrice" />
  <values fieldName="lastUpdated" value="$transactionDate" />

This whereClause selects some users based on various values passed in the criteria and as HTTP parameters:

  <whereClause>department = $httpParameters.userDept AND dob >= $criteria.dateOfBirth</whereClause>

This whereClause selects some users based on various values obtained from the servletRequest's attributes, using a number of equivalent techniques for accessing the attributes:

          department = $servletRequest.dept 
      AND startDate >= $requestAttributes.dateOfBirth 
      AND salary < $servletRequest.getAttribute("userSalary")

See Also: