* I've been in discussions with our security team and settled to have server just produce internal error without letting anyone know what actually had happened. Kind of lazy. Personally, it feels either way is fine. Probably for public code appropriate exception should be thrown or error added to the validation list. * If you're talking about interceptor, agreed, my omission. However, tag doesn't seem to have that method so if form is called w/out a session, there could be a leak. * Completely agree on this one. The whole reason for the interface is to force our internal developers to pay close attention to the code when upgrading from servlets (yup, we're still stuck in that era).
Thank you for suggestions, I'll incorporate them shortly. On 3/30/2017 2:50 PM, Nestor Hernandez wrote:
The Crsf integration is interesting: I have a couple of suggestions * It should not throw an generic IOException when Crsf fails, but a custom exception, maybe an CrsfValidationException * Prevent create new sessions with getRequest().getSession( false ). If there is no session it should throw the exception. * There's no need to introduce the interface CsrfProtected in order to get the current crsfToken. The crsfToken should be always in a request attribute for the user and the interceptor to use, something like JAX-RS MVC 1.0 does or even ASP.NET <http://ASP.NET> MVC does. Please check out http://www.agilejava.eu/2015/11/17/cool-security-feature-in-mvc-1-0/ *2017-03-30 13:23 GMT-05:00 Juan Pablo Santos RodrÃguez <[email protected] <mailto:[email protected]>>:Hi, AFAIK, big major changes are REST and async ActionBeans. Because of the latter ones, minimum servlet-api is 3.0. Don't know anything about 1.7 release, though. br, juan pablo p.s.: couldn't resist, also an Stripes - Spring Boot integration at https://github.com/juanpablo-santos/stripes-spring-boot <https://github.com/juanpablo-santos/stripes-spring-boot> O:-) On Thu, Mar 30, 2017 at 3:05 AM, Daniil S <[email protected] <mailto:[email protected]>> wrote: Working on extracting CSRF for Stripes from our internal project. May be useful to some - https://github.com/SirDaniil/StripesCSRF <https://github.com/SirDaniil/StripesCSRF> (I remember there was a thread about this some time ago). On 3/28/2017 8:22 PM, Joaquin Valdez wrote:Hello! Just curious if there is any news on the release of Stripes 1.7? Or is there a feature list of Stripes 1.7. Thanks, Joaquin Valdez [email protected] <mailto:[email protected]> ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ Stripes-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/stripes-users <https://lists.sourceforge.net/lists/listinfo/stripes-users>------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Stripes-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/stripes-users<https://lists.sourceforge.net/lists/listinfo/stripes-users>------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Stripes-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/stripes-users<https://lists.sourceforge.net/lists/listinfo/stripes-users>------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Stripes-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/stripes-users
