Makes sense. But I wouldn't want to fork the project because I am not a security expert. I couldn't maintain it well even though I want to integrate it. Also, I don't know if HDIV has aspirations outside of Struts which would make an SPI much more palatable.
What do you think about sharing the code between struts projects? As a jar that would be used natively within the core? Paul On Dec 6, 2007 11:34 AM, Matt Raible <[EMAIL PROTECTED]> wrote: > HDIV seems to solve a problem that most web application developers > don't know they have. By "natively", I mean it's part of the core and > you can't make your application less secure by ripping it out. It is > Apache licensed after all. > > If rolling it into the core isn't an option, it would be nice if it > was easier to integrate. Instead of requiring new tag libraries, it'd > be nice if tag libraries (and Velocity/FreeMarker macros) were "HDIV > aware". If an HDIV JAR/Plugin is on the classpath - use it. > > Matt > > On Dec 6, 2007, at 9:22 AM, Paul Benedict wrote: > > > Matt, I want to use HDIV natively in Struts 1 too -- which is why I > > was > > hoping for an SPI interface which anyone can provide for an > > implementation. > > What do you have in mind with "native" integration? And is your > > idea of > > integration also against an SPI? > > > > Paul > > > > On Dec 6, 2007 10:18 AM, Matt Raible <[EMAIL PROTECTED]> wrote: > > > >> What about integrating HDIV natively so Struts is as secure as it can > >> possibly be? > >> > >> Matt > >> > >> On Dec 5, 2007, at 11:08 PM, Paul Benedict wrote: > >> > >>> I've been emailing the authors of HDIV offline for some quite time. > >>> I take a > >>> fond interest in data integrity and security, and believe their > >>> project is a > >>> great benefit to Struts. The problem, of course, exists that S1 and > >>> S2 are > >>> so radical in architecture that separate deliverables are required. > >>> > >>> I think a framework SPI should be provided so that library > >>> implementors can > >>> scramble form data (e.g., hidden form field values) and provide > >>> whatever > >>> encryption necessary. The goal would be for this SPI to be honored > >>> in both > >>> Struts 1.4 and latest Struts 2.x. This would be the start of a > >>> shared > >>> library between Struts versions. > >>> > >>> These are the current known extension points that the SPI would be > >>> invoked > >>> for: > >>> > >>> 1. Form start point > >>> 2. Form end point > >>> 3. Link or form's action > >>> 4. Form's Parameters name > >>> 5. FoParameter's values > >>> > >>> Where is the right place to whiteboard this idea? Email or > >>> MoinMoin? And is > >>> anyone else interested in helping? > >>> > >>> Paul > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
