Well I am looking at the Parameter Filter Interceptor (http://cwiki.apache.org/WW/parameter-filter-interceptor.html) which I am proposing we complement by allowing the same thing with annotations. Currently we have a wizard like section in one of our sites which we are backing with Spring session scope beans. So the Struts2 Spring plugin injects it. To allow this we have a setMySessionBeanName(), which is public. So a user could call an action with a parameter mySessionBeanName.forename and change that value. You can stop that with the filter interceptor by defining mySessionBeanName as a blocked parameter name, I would prefer to mark it @NotAParameter.
We use Acegi to block Actions on a role basis. I know you can also block method invocations on POJO, but have never gone that far. Could Acegi help with the use case above? Thanks, Martin. ----- Original message ----- From: "Brian Pontarelli" <[EMAIL PROTECTED]> To: "Struts Developers List" <dev@struts.apache.org> Date: Tue, 23 Oct 2007 13:13:24 -0600 Subject: Re: [S2] Plugins gone wild! This sounds more of a security level concern and is currently handled by ACEGI and I would assume other projects as well. Or am I missing something? -bp Martin Gilday wrote: > Where abouts is the annotations plugin housed? I could not see it in > the struts2 trunk or sandbox trunk. Following Don's comment in this > https://issues.apache.org/struts/browse/WW-2264 I was interested in > trying to created this feature "A new feature we could add would be a > new annotation so that a user could annotate which setters/getters can > be accessed, which is probably a good idea regardless.". My initial > idea was another flag on the parameter interceptor which, when enabled, > would only set against the action when an annotation is present on the > setter. It might make more sense for this feature/annotation to be part > of the annotations plugin. Does anyone else see this as a useful > feautre? I'd rather annotate what I want to permit to be set than > exclude my DAO/Services (which are required by the Spring plugin). > > > ----- Original message ----- > From: "Ted Husted" <[EMAIL PROTECTED]> > To: "Struts Developers List" <dev@struts.apache.org> > Date: Tue, 23 Oct 2007 06:20:13 -0400 > Subject: Re: [S2] Plugins gone wild! > > So, to follow-up, the amended struts-core-plugins.jar list seems to be > > * annotations plugin (new) > * codebehind plugin (including zero-config) > * tags plugin (new) > > I'd like to keep codebehind in the core, since I believe we are on > track for making XML-action-free Struts apps the recommended approach. > > Though, when we say that, I don't think we need to excise the > struts.xml and go back to using struts.properties. Using the > struts.xml to set one-time global configuration parameters is very > different from using the struts.xml to describe all of the > application's actions. > > -Ted. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]