This relates to Musachy's recent proposal to remove OGNL entirely from the parameter-setting process. Which I think is a very good idea.
If I've understood correctly, currently there is no way to filter the parameter names, using regex or otherwise, other than to verify them use a whitelist of valid names.
jelmer wrote:
Hi all, I was looking into an easy way to prevent people binding on fields they shouldn't be binding on. Say you have a User object, you do not want people to be able to bind on the isAdmin property. Various people remommended using the ParameterFilterInterceptor for this but it seems to be flatout broken When you configure an action like this <action name="test" class="com.webapp.action.TestAction"> <interceptor-ref name="param-namevalue-filter"> <param name="blocked">name</param> </interceptor-ref> <interceptor-ref name="params"/> </action> then this wont work : /test.action?name=myname but this does : /test.action?(name)=jelmer and so does this /test.action?((name))=jelmer And so on, infact it is impossible to block any parameter effectively with the ParameterFilterInterceptor. Btw. I am aware that there is also the excludeParams method on the ParametersInterceptor that accepts a regexp, so theoretically you could use this to block parameters effectively but it would be extremely hard to write a correct regexp for it. Also I havent found a way to configure both params interceptors in a paramsPrepareParamsStack. This will only configure the first params interceptor in the stack <interceptor-ref name="clientCrudStack"> <param name="params.excludeParams">some pattern</param> </interceptor-ref> Struts really seems to be lacking in this area. Internal Virus Database is out of date.Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.5.10/1584 - Release Date: 31/07/2008 12:00 PM
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
