[jira] [Work logged] (WW-5083) Fetch Metadata support

Sat, 01 Aug 2020 08:30:22 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5083?focusedWorklogId=465316&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-465316
 ]

ASF GitHub Bot logged work on WW-5083:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 01/Aug/20 15:29
            Start Date: 01/Aug/20 15:29
    Worklog Time Spent: 10m 
      Work Description: JCgH4164838Gh792C124B5 commented on a change in pull 
request #428:
URL: https://github.com/apache/struts/pull/428#discussion_r463972601



##########
File path: 
core/src/main/java/org/apache/struts2/interceptor/FetchMetadataInterceptor.java
##########
@@ -73,15 +76,31 @@ public String intercept(ActionInvocation invocation) throws 
Exception {
             return invocation.invoke();
         }
 
-        logger.atDebug().log(
-            "Fetch metadata rejected cross-origin request to %s",
-            contextPath
-        );
+        LOG.debug("Fetch metadata rejected cross-origin request to [{}]", 
contextPath);

Review comment:
       Hi.  It looks like this interceptor could produce a lot of logging 
output, to the point that it might flood the application's logs.
   Maybe the debug-level output is OK, since the developer can usually find the 
related forbidden (403) response in the access logs of the application server 
anyway ?
   Another option could be to use a `.info` level for the message instead 
(could still be suppressed if developers set minimum log level to warning, but 
easier to differentiate than debug-level).  What do you think ?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 465316)
    Time Spent: 4h 10m  (was: 4h)

> Fetch Metadata support
> ----------------------
>
>                 Key: WW-5083
>                 URL: https://issues.apache.org/jira/browse/WW-5083
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>            Reporter: Santiago Diaz
>            Priority: Major
>             Fix For: 2.6
>
>          Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> We'd like to add built-in Fetch Metadata support to Struts2 to provide a 
> simple security mechanism that developers can use to protect against 
> Cross-Site Request Forgery vulnerabilities



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to