> I guess why I don't like this mentality is that we > have these kinds of security holes all over the > place. If you expose getters or setters that are > unsafe in your action or _any_ of your model objects, > you can get that problem. The fact is that with > dynamic reflection that is controlled by URL > requests/params, you should consider anything > remotely close to the Action or its object graph to > be considered unsafe until you've explicitly added > your own security layer. > > To simply add this switch and give the impression > that it is now safe would be very misleading. >
While I see your point that this one flag won't make everything 100% secure, at least with getters and setters, you know that's what they're designed to do. You can also control the setting of properties from the request params via the interceptor stack, including filtering out params you don't want set. You can't (currently) control the "!" notation and what methods it can call. I'd say we need to group a bunch of security-related settings in the config and let people choose, but I'd agree with Ted that the more secure option should be the default, especially if we're talking about deprecating and removing the "!" notation in the future. --------------------------------------------------------------------- Posted via Jive Forums http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82233#82233 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
