Re: S1/2: Data integrity and security

Thu, 06 Dec 2007 09:34:41 -0800

HDIV seems to solve a problem that most web application developers don't know they have. By "natively", I mean it's part of the core and you can't make your application less secure by ripping it out. It is Apache licensed after all.
If rolling it into the core isn't an option, it would be nice if it was easier to integrate. Instead of requiring new tag libraries, it'd be nice if tag libraries (and Velocity/FreeMarker macros) were "HDIV aware". If an HDIV JAR/Plugin is on the classpath - use it. 

Matt

On Dec 6, 2007, at 9:22 AM, Paul Benedict wrote:


Matt, I want to use HDIV natively in Struts 1 too -- which is why I  
was
hoping for an SPI interface which anyone can provide for an  
implementation.
What do you have in mind with "native" integration? And is your  
idea of

integration also against an SPI?

Paul

On Dec 6, 2007 10:18 AM, Matt Raible <[EMAIL PROTECTED]> wrote:


What about integrating HDIV natively so Struts is as secure as it can
possibly be?

Matt

On Dec 5, 2007, at 11:08 PM, Paul Benedict wrote:


I've been emailing the authors of HDIV offline for some quite time.
I take a
fond interest in data integrity and security, and believe their
project is a
great benefit to Struts. The problem, of course, exists that S1 and
S2 are
so radical in architecture that separate deliverables are required.

I think a framework SPI should be provided so that library
implementors can
scramble form data (e.g., hidden form field values) and provide
whatever
encryption necessary. The goal would be for this SPI to be honored
in both

Struts 1.4 and latest Struts 2.x. This would be the start of a  
shared

library between Struts versions.

These are the current known extension points that the SPI would be
invoked
for:

       1. Form start point
       2. Form end point
       3. Link or form's action
       4. Form's Parameters name
       5. FoParameter's values

Where is the right place to whiteboard this idea? Email or
MoinMoin? And is
anyone else interested in helping?

Paul



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to