I was researching the SessionAware interface as I'm planning on adding a tutorial on how to use the HTTP Session object from within a Struts Action class to the tutorials at: https://cwiki.apache.org/confluence/display/WW/Getting+Started https://cwiki.apache.org/confluence/display/WW/Getting+Started .
I ran across this http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html blog post and https://issues.apache.org/jira/browse/WW-3631 Struts 2 JIRA issue that discuss a security vulnerability when using SessionAware. I'd like to include in the tutorial the best practices for mitigating this vulnerability. Here is what I think programmers who use SessionAware in their Action class should do to mitigate this vulnerability: 1. Do not create a public Map<String, Object> getSession() method in the Action class 2. Also implement the ParameterNameAware interface and override its acceptableParameterName method as follows: public boolean acceptableParameterName(String parameterName) { boolean allowedParameterName = true ; if ( parameterName.contains("session") || parameterName.contains("request") ) { allowedParameterName = false ; } return allowedParameterName; } I'd certainly appreciate any feedback on best practices to follow when implementing the SessionAware interface and how to mitigate the security vulnerability. Thank You, Bruce Phillips -- View this message in context: http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
