It's unusual that a feature such as this comes without penality. If HDIV were native, what would be the performance cost? Complexity cost?
Although I have no clue what SPI means, I do see the web page mentions Struts by name, and says that it can be added to applications transparently. What if we were to start by adding HDIV to our example applications and posting the result in the sandbox. This would give us an opportunity to identify any pain points, as well as compare the performance impact. The vast majority of web applications run inside a firewall and are used by a handful of trusted employees. There are many cases where Klingon-grade security may not always trump day-to-day performance. On the Struts 1 security front, there are also projects like the Struts SSL Extension which could be subsumed into the core. -Ted. On Dec 6, 2007 12:34 PM, Matt Raible <[EMAIL PROTECTED]> wrote: > HDIV seems to solve a problem that most web application developers > don't know they have. By "natively", I mean it's part of the core and > you can't make your application less secure by ripping it out. It is > Apache licensed after all. > > If rolling it into the core isn't an option, it would be nice if it > was easier to integrate. Instead of requiring new tag libraries, it'd > be nice if tag libraries (and Velocity/FreeMarker macros) were "HDIV > aware". If an HDIV JAR/Plugin is on the classpath - use it. > > Matt > > > On Dec 6, 2007, at 9:22 AM, Paul Benedict wrote: > > > Matt, I want to use HDIV natively in Struts 1 too -- which is why I > > was > > hoping for an SPI interface which anyone can provide for an > > implementation. > > What do you have in mind with "native" integration? And is your > > idea of > > integration also against an SPI? > > > > Paul > > > > On Dec 6, 2007 10:18 AM, Matt Raible <[EMAIL PROTECTED]> wrote: > > > >> What about integrating HDIV natively so Struts is as secure as it can > >> possibly be? > >> > >> Matt > >> > >> On Dec 5, 2007, at 11:08 PM, Paul Benedict wrote: > >> > >>> I've been emailing the authors of HDIV offline for some quite time. > >>> I take a > >>> fond interest in data integrity and security, and believe their > >>> project is a > >>> great benefit to Struts. The problem, of course, exists that S1 and > >>> S2 are > >>> so radical in architecture that separate deliverables are required. > >>> > >>> I think a framework SPI should be provided so that library > >>> implementors can > >>> scramble form data (e.g., hidden form field values) and provide > >>> whatever > >>> encryption necessary. The goal would be for this SPI to be honored > >>> in both > >>> Struts 1.4 and latest Struts 2.x. This would be the start of a > >>> shared > >>> library between Struts versions. > >>> > >>> These are the current known extension points that the SPI would be > >>> invoked > >>> for: > >>> > >>> 1. Form start point > >>> 2. Form end point > >>> 3. Link or form's action > >>> 4. Form's Parameters name > >>> 5. FoParameter's values > >>> > >>> Where is the right place to whiteboard this idea? Email or > >>> MoinMoin? And is > >>> anyone else interested in helping? > >>> > >>> Paul > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- HTH, Ted * <http://www.StrutsMentor.com/> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
