Hi, Another idea is to add some logic to handle security aspects of the framework in one place - it would be some kind of stack of interfaces which will try to cleanup incoming request.
For example: - ActionNameJudge#accept() will handle if action name match expected pattern, the same what is already defined with constant in DefaultActionMapper - ParameterNameJudge#accept() will handle if given parameter name is acceptable - the same what ParametersInterceptor do right now - etc The idea is simple - have all the security related logic in one place and to have it applied to the whole framework not to some parts, i.e. someone will implement their own ActionMapper and won't escape/clear action names as it is done in DefaultActionMapper, and so on. These handlers will be configured in struts-default.xml and user can re-define them, additional judges, etc. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org