Hi,
I think you can only have problems with parameter names that has
public getter/setter in you action class.
Il giorno 09/lug/07, alle ore 22:09, Gunnar Hillert ha scritto:
Hi,
Bump...Nobody using the ParameterNameAware interface?
Any responses would be highly appreciated.
Thanks!
Gunnar
Gunnar Hillert wrote:
Hi,
I have a question regarding the ParametersInterceptor,
specifically the
ParameterNameAware interface. Since Struts 2 is typically
injecting the
form parameters into the action, I have some security concerns. It
works
really great but I fear that malicious users could somehow inject
other
parameters as well.
Therefore, during my current project (Actually my first Struts 2
project),
I made all actions implement the ParameterNameAware interface.
Then in
the acceptableParameterName method, I specified the permissible
parameters
for the action. This really works nicely but here is my question:
Is it generally a best practice to ALWAYS implement that interface
when
processing forms? (Or am I just too paranoid?) What is the general
consensus on this issue? (I could not find too much information on
this…)
Lastly, instead of using the interface, would it be a good idea to
have a
dedicated annotation for this?
Thanks!
Regards,
Gunnar Hillert
--
View this message in context: http://www.nabble.com/-S2--Form-
Processing---Security---ParameterNameAware-tf3944023.html#a11509072
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Ing. Andrea Vettori
Consulente per l'Information Technology
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]