Hi all,
I was looking into an easy way to prevent people binding on fields they
shouldn't be binding on.
Say you have a User object, you do not want people to be able to bind on the
isAdmin property.
Various people remommended using the ParameterFilterInterceptor for this but
it seems to be flatout broken
When you configure an action like this
<action name="test" class="com.webapp.action.TestAction">
<interceptor-ref name="param-namevalue-filter">
<param name="blocked">name</param>
</interceptor-ref>
<interceptor-ref name="params"/>
</action>
then this wont work :
/test.action?name=myname
but this does :
/test.action?(name)=jelmer
and so does this
/test.action?((name))=jelmer
And so on, infact it is impossible to block any parameter effectively with
the ParameterFilterInterceptor.
Btw. I am aware that there is also the excludeParams method on the
ParametersInterceptor that accepts a regexp, so theoretically you could use
this to block parameters effectively but it would be extremely hard to write
a correct regexp for it. Also I havent found a way to configure both params
interceptors in a paramsPrepareParamsStack. This will only configure the
first params interceptor in the stack
<interceptor-ref name="clientCrudStack">
<param name="params.excludeParams">some pattern</param>
</interceptor-ref>
Struts really seems to be lacking in this area.
