Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Guideline IDDescriptionCertification LevelScope
G001
Anchor
g001
g001

The HTML rendering the UI conforms to the basic layout using a table of class widget grid.

1PEMDV
G002
Anchor
g002
g002

The HTML rendering the UI uses only the defined CSS classes.

3PEMDV
G003
Anchor
g003
g003

The UI conforms to the basic guidelines.

2PEMDV
G004
Anchor
g004
g004

The UI uses the widgets supported by the XperienCentral platform.

2PEMDV
G005
Anchor
g005
g005

The JSPs that render the HTML use the JSTL tags and JSP tags offered by the XperienCentral platform as often as possible.

2PEMDV
G006
Anchor
g006
g006

The UI conforms to the defined UI interaction patterns.

2PEMDV
G007
Anchor
g007
g007

The business object is implemented as a POJO and does not contain any reference to a controller, form backing object or DAO.

1PEMDV
G008
Anchor
g008
g008

The business object does not contain properties or logic whose sole purpose is the view.

1PDV
G009
Anchor
g009
g009

The FormBackingObject is implemented as a POJO and does not have any reference to a controller, DAO or business object unless the business object is a POJO itself.

1PEMDV
G010
Anchor
g010
g010

The FormBackingObject reflects the properties and logic to be rendered by the view and not the properties and logic of the business object from which it retrieves values.

1PEMDV
G011
Anchor
g011
g011

The FormBackingObject and Business Object is not one and the same object.

1PEMDV
G012
Anchor
g012
g012

The copyProperties() method of org.springframework.beans.BeanUtils is used to transfer values from the FormBackingObject to the business object (or vice versa).

3PMDV
G013
Anchor
g013
g013

The controller is a separate class and implements all controller logic.

1PEMD
G014
Anchor
g014
g014

Persistence logic is not contained by the business object but implemented in a separate DAO.

1PEMDV
G015
Anchor
g015
g015

JSPs do not contain SQL statements or other persistence implementation-specific logic unless they are contained by a separate JSP tag.

1PEMDRV
G016
Anchor
g016
g016

The plugin contains all resources not provided by dependencies or other presentation plugins and is capable of being deployed and functioning properly on any XperienCentral installation, as long as all its defined dependencies are available.

1A
G017
Anchor
g017
g017

The version number of a plugin conforms to the syntax "major.minor.micro".

1A
G019
Anchor
g019
g019

The version numbers of the plugin are independent of the XperienCentral release they were developed for.

1A
G020
Anchor
g020
g020

If the datamodel of the plugin has been changed in a newer version of the plugin , the plugin must properly handle datamodel updates.

2PEMDV
G021
Anchor
g021
g021

The API that XperienCentral provides is used to access the data model XperienCentral exposes.

1A
G022
Anchor
g022
g022

XperienCentral features and API functions are used where possible instead of implementing custom functions.

1A
G023
Anchor
g023
g023

When the plugin uses a service, a dependency with that service is defined in the component definition in order to retrieve a reference to the service.

1A
G024
Anchor
g024
g024

Text, images and other GUI components are suitable for translation.

3PEMCDV
G025
Anchor
g025
g025

Multilingual content that can be created using the plugin is translatable.

 PEMCDLFV
G026
Anchor
g026
g026

Language labels are defined in language resource files conforming to JavaI18N and the filename meets the syntax messages_<language>_<country>_<variant>.properties.

1PEMCDLFV
G027
Anchor
g027
g027

Label IDs in the language resource files use only lower case letters.

1PEMCDLFV
G028
Anchor
g028
g028

Language labels in language resource files are grouped per component and prefixed with at least the ID of the component.

 PEMCDLFV
G034
Anchor
g034
g034

Documentation is available in at least the US English language.

3PEMDFV
G035
Anchor
g035
g035

A plugin is distributed as a single ZIP file known as a WCA (WebManager Component Archive) which can also contain other related plugins.

1A
G036
Anchor
g036
g036

The contents of the WCA conforms to the defined directory structure.

2A
G037
Anchor
g037
g037

The WCA contains a readme.txt and a changelog.txt.

1A
G038
Anchor
g038
g038

The layout of the readme.txt and changelog.txt follow the defined templates. Click the links to the left to download the templates.

1A
G039
Anchor
g039
g039

The plugin JAR file containing the software follows the defined directory structure.

1A
G042
Anchor
g042
g042

The HTML generated by the JSPs for rendering the Editor is XHTML 1.0 transitional compliant.

3PEMDV
G045
Anchor
g045
g045

All content generated by the plugin is stored in the JCR or in an external database if there is an obvious need for it.

1PEMCDLFV
G046
Anchor
g046
g046

The configuration management service is used to store configuration options. No hard-coded web IDs, paths or URLs are used in the software.

1PEMCDLFV
G047
Anchor
g047
g047

The preferences service is used to store all preferences.

1PEMCDLFV
G048
Anchor
g048
g048

The output-html-encoded-quotes XSLT template is used to properly escape HTML strings in the output when using XSLT.

1PEMDRV
G049
Anchor
g049
g049

SQL-prepared statements are used for all SQL queries.

1A
G050
Anchor
g050
g050

At least one RBAC category is defined for each component which has a GUI representation which contains one or more RBAC permissions for the component.

2PEDV
G051
Anchor
g051
g051

A permission category defines and implements at least the RBAC permissions as defined.

2PEV
G052
Anchor
g052
g052

The implementation of RBAC permission handling is mainly programmed in a controller or service, not in the business object itself. The check is only performed in the business object itself if the permission defines authorization to retrieve or update that particular property only.

2PEMDV
G053
Anchor
g053
g053

The definition of all RBAC permissions is positive. Permissions are defined in a way that assigning the permission to a role grants the role particular rights and it never denies rights.

1PEMDV
G055
Anchor
g055
g055

Coding conventions: the coding conventions that Sun publishes as the standard for the Java programming language are followed.

 A
G056
Anchor
g056
g056

Coding conventions: Java language features are used where applicable (Java version 5 and higher).

3A
G057
Anchor
g057
g057

Coding conventions: Java Util Logging is used where applicable and proper log levels are used (Java version 5 and higher).

1A
G058
Anchor
g058
g058

Coding conventions: Java concurrency utilities are used where applicable (Java version 5 and higher).

3A
G059
Anchor
g059
g059

Coding conventions: old collections like Hashtable, Vector or Dictionary are not used if it can be avoided.

1A
G060
Anchor
g060
g060

Coding conventions: the @override annotation is used if a method is overridden from a super class.

 A
G061
Anchor
g061
g061

Coding conventions: The basic variant of the Hungarian notation is used.

 A
G063
Anchor
g063
g063

Coding conventions: The source code does not contain blank spaces before and after method arguments, however, spaces are used after Java keywords and commas.

 A
G064
Anchor
g064
g064

Coding conventions: Declare variables and methods in the following order: Class (static) variables, instance variables, constructors, methods.

 A
G067
Anchor
g067
g067

The FIXME comment is used to indicate that code snippets are incorrect during development and do not appear in a released plugin.

 A
G068
Anchor
g068
g068

The TODO comment is used to indicate that code snippets are incomplete during development and do not appear in a released plugin.

 A
G069
Anchor
g069
g069

Coding conventions: Spaces are used instead of tabs for trailing white space in the source code.

 A
G070
Anchor
g070
g070

Coding conventions: The size of one line in the software code is limited to 120 characters.

 A
G071
Anchor
g071
g071

Coding conventions: Start brackets are added on the same line as the statement to which they apply but ending brackets appear on a new line.

 A
G072
Anchor
g072
g072

Coding conventions: Brackets are used in all cases, even for single line statements.

 A
G073
Anchor
g073
g073

Coding conventions: The source code conforms to Javadoc conventions defined by Sun.

2A
G074
Anchor
g074
g074

Coding conventions: Public and protected classes, interfaces, variables and methods are tagged with Javadoc.

2A
G075
Anchor
g075
g075

The Javadoc does not contain references to documents that might not be accessible by external developers.

3A
G076
Anchor
g076
g076

General plugin classes conform to the defined naming conventions.

1A
G077
Anchor
g077
g077

Element component classes conform to the defined naming conventions.

1E
G078
Anchor
g078
g078

Element component classes conform to the defined hierarchy.

1E
G079
Anchor
g079
g079

Media Item component classes conform to the defined naming conventions.

1M
G080
Anchor
g080
g080

Media Item component classes conform to the defined hierarchy.

1M
G081
Anchor
g081
g081

Panel component classes conform to the defined naming conventions.

1P
G082
Anchor
g082
g082

Panel component classes conform to the defined hierarchy.

1P
G083
Anchor
g083
g083

The domain used for naming is returned by ComponentBundleDefinition.getDomain().

1A
G084
Anchor
g084
g084

The plugin ID is returned by ComponentBundleDefinition.getWCBId().

1A
G087
Anchor
g087
g087

The prefix equals the plugin ID.

1A
G089
Anchor
g089
g089

Package names used in the source code of the plugin conform to the package naming guidelines as defined by the Sun coding conventions.

1A
G090
Anchor
g090
g090

Top level Java package names follow the syntax <domain>.<plugin ID>.

1A
G095
Anchor
g095
g095

The artifact ID in the pom.xml equals the plugin ID.

1A
G096
Anchor
g096
g096

The group ID in the pom.xml equals the domain.

1A
G097
Anchor
g097
g097

The ID of the component bundle definition defined in the activator of the plugin conforms to the defined syntax.

1A
G098
Anchor
g098
g098

The ID of each component definition contained by the plugin must be prefixed with the component bundle definition ID followed by an ID that is unique within the plugin, matches the component name and consists of lower case alphanumeric characters in the range [a-z]. This does not include the media item component definition.

1A
G099
Anchor
g099
g099

All IDs and properties defined use only lower case letters.

1A
G101
Anchor
g101
g101

The name of the RBAC category conforms to the syntax  <top level domain>.<plugin ID>.<Component ID>.

1PEMCDLFV
G102
Anchor
g102
g102

The technical name of each RBAC permission is prefixed with the technical name of the RBAC category, followed by a dot.

1PEMCDLFV
G103
Anchor
g103
g103

Technical names of categories and permissions are in lower case, do not contain spaces and separate words are separated by a dot.

1PEMCDLFV
G104
Anchor
g104
g104

For CRUD actions, the defined naming conventions are used.

 

2PEMCDLFV
G105
Anchor
g105
g105

In user documentation, the defined naming conventions are used for XperienCentral assets.

3A
G106
Anchor
g106
g106

All names of labels, Java classes, methods, properties, etc. are in US English unless they represent translatable labels presented to the end user.

1A
G107
Anchor
g107
g107

The CMU-SEI (https://en.wikipedia.org/wiki/Cyclomatic_complexity) does not exceed 15.

3PEMCDLFV
G108
Anchor
g108
g108

Online help covering the visible components contained by the plugin is available.

2PEMDV
G109
Anchor
g109
g109

An API is exposed by a domain object interface when it consists of getters and setters for properties of that domain object.

1PEMCDLFV
G110
Anchor
g110
g110

Implementations of a domain object interface is postfixed with "Impl".

2PEMCDLFV
G111
Anchor
g111
g111

An API is exposed as a service when the API creates or deletes domain objects or operates on multiple domain objects.

2PEMCDLFV
G112
Anchor
g112
g112

An API service managing entities is preferably postfixed with "ManagementService".

3CV
G113
Anchor
g113
g113

A method handles an exception internally if it is recoverable.

2A
G114
Anchor
g114
g114

A method throws a checked exception if it is unrecoverable and occurs in an area outside the immediate control of the program.

 A
G116
Anchor
g116
g116

Identifiers used by a plugin are defined in one class as public static final fields of that class.

3A
G117
Anchor
g117
g117

A plugin exposes its identifiers by exposing the class as defined by guideline G116.

3A
G118
Anchor
g118
g118

Any class or interface that is exposed by a plugin as API should be contained by a package called "api" directly under the plugin's root package, or by a sub package of this package.

2A
G119
Anchor
g119
g119

If content is stored in an internal relational database, the SQL scripts to create those database tables should be contained by the plugin in a /sqlscripts directory.

2A
G120
Anchor
g120
g120

Each plugin should come with a unit test or test bundle that has a code coverage of at least 10%.

3PEMCDLFV
G121
Anchor
g121
g121

The plugin ID only contains alphanumeric characters in the range [a-z].

1A
G122
Anchor
g122
g122

The domain only contains alphanumeric characters in the range [a-z] separated by dots.

1A
G123
Anchor
g123
g123

In the JSPs, properly escaped strings in the HTML are output using standard JSTL functions.

1PEMDRV
G124
Anchor
g124
g124

The contenttype of a media item component which is defined by the @ContentType annotation must equal the plugin ID or be prefixed by the plugin ID and may only contain alphanumeric characters in the range [a-z].

1M
G125
Anchor
g125
g125

Use the Entity Manager as the DAO implementation to store entities in the JCR when possible.

 PEMCDLF
G126
Anchor
g126
g126

Creating and removing resources on which a plugin depends should be done automatically upon installation and purging the plugin if possible.

1A
G127
Anchor
g127
g127

Framework labels are grouped separately in the language resource files.                           

 PEMCDLFV
G128
Anchor
g128
g128

Language files are at least available in US English.

2PEMCDLFV
G129
Anchor
g129
g129

A method should not catch an unchecked exception if it is unrecoverable and occurs in an area inside the immediate control of the program.

1A
G131
Anchor
g131
g131

A new checked exception type is used as the wrapper for multiple checked exceptions if the amount of thrown checked exception exceeds five.

2A
G132
Anchor
g132
g132

The Javadoc clearly explains how the class or interface should be used, preferably by providing code examples.

2A
G133
Anchor
g133
g133

For each package contained by the plugin, a package.html is provided that clarifies the purpose and contents of the package.

 A
G134
Anchor
g134
g134

HTML generated by the JSPs for rendering the website environment should be XHTML 1.0 transitional compliant.

3R
G135
Anchor
g135
g135

If a method of a class implements a method of an interface, refer to the Javadoc of the interface using the {@inheritDoc} annotation.

2A
G136
Anchor
g136
g136

The bundleSymbolicName in the pom.xml matches the syntax <domain>.<plugin ID>.

1A
G137
Anchor
g137
g137

The presentation plugin is self-sufficient and does not depend on any resource provided by another plugin unless it is another presentation plugin .

1R
G138
Anchor
g138
g138

JSPs copied from the original XperienCentral platform presentation are copied to the specified directory.

1R
G139
Anchor
g139
g139

The value of the name attribute in the descriptor of a JSP is prefixed by the plugin ID.

1R
G140
Anchor
g140
g140

Static files used by the presentation plugin are located in a subdirectory that equals the plugin ID.

1R
G141
Anchor
g141
g141

The software does not contain code snippets that are commented out, not used or that duplicates of other code snippets in the same plugin .

2A
G142
Anchor
g142
g142

Media item JSPs that display the content of a media item contain a check to see whether the media item has not already been rendered before within the same request.

1MR
G143
Anchor
g143
g143

Use the Link.linkAttributes() method to build links in a JSP.

1PEMDRV
G144
Anchor
g144
g144

Implement caching properly by providing SSIs.

1PEMDRV
G145
Anchor
g145
g145

A plugin contains only those components that logically belong to each other.

1R
G147
Anchor
g147
g147

The plugin does not contain the empty online help that was generated by the archetype.

1A
G148
Anchor
g148
g148

Do not use public or protected instance variables. Use private instance variables with getters and setters instead.

1A
G149
Anchor
g149
g149

The plugin ID and domain are approved by GX and the plugin (of this version) is registered.

1A
G151
Anchor
g151
g151

The name of a scheduled job is prefixed by the plugin ID.

1C
G152
Anchor
g152
g152

The ID of each configuration set defined by the plugin is prefixed by or equals the plugin ID.

1A
G153
Anchor
g153
g153

The plugin contains an example frontend presentation if it requires such a presentation to work properly.

2EMDFV
G154
Anchor
g154
g154

The plugin supports the software and hardware as described in Hardware and Software Requirements.

2A

...

Note

More complete security guidelines are available explained in /wiki/spaces/PD/pages/24707143. This section is The topics in this section are only visible to certified GX Software partners and customers who are logged in to the GX Software domain.

...

Code Block
themeEclipse
// Bad SQL query vulnerable to SQL injection
String query = “select"select count(*) from users where name=' + name + “’"' and password=’”'" + password + “’”"'";

 

If the name and password are directly passed from the posted form onto this query, the query will be vulnerable to SQL injection. If the user would enter username and password:

...

Code Block
themeEclipse
username=’ or 1=1 or name='
password=’ or 1=1 or password='

 

The query would always return 1. SQL injection can be easily prevented by using prepared statements instead. Prepared statements prevent SQL injection by automatically escaping the input. For this reason it is recommended that you use prepared statements in all cases. See java.sql.PreparedStatement [G049].

...

Code Block
themeEclipse
// FIXME (ivol): this won’twon't work if myNumber equals 0
public String getProperty();
    return 1/myNumber;
}

...