On 10/23/07, Martin Gilday <[EMAIL PROTECTED]> wrote: > Well I am looking at the Parameter Filter Interceptor > (http://cwiki.apache.org/WW/parameter-filter-interceptor.html) which I > am proposing we complement by allowing the same thing with annotations. > Currently we have a wizard like section in one of our sites which we are > backing with Spring session scope beans. So the Struts2 Spring plugin > injects it. To allow this we have a setMySessionBeanName(), which is > public. So a user could call an action with a parameter > mySessionBeanName.forename and change that value. You can stop that > with the filter interceptor by defining mySessionBeanName as a blocked > parameter name, I would prefer to mark it @NotAParameter.
Why not @blocked and @allowed for the properties, and @defaultBlock for the class? -Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]