Look at this related post too: http://www.nabble.com/paramsPrepareParams-vs.-staticParams-td18773842.html
2008/8/12, Rene Gielen <[EMAIL PROTECTED]>: > > Am Di, 12.08.2008, 14:20, schrieb Jeromy Evans: > > > > This relates to Musachy's recent proposal to remove OGNL entirely from > > the parameter-setting process. Which I think is a very good idea. > > > > Indeed removing OGNL for parameters would fix this issue, but even if we > would decide to do so this won't be trivial and might have many side > effects. > > > If I've understood correctly, currently there is no way to filter the > > parameter names, using regex or otherwise, other than to verify them use > > a whitelist of valid names. > > > > You can blacklist parameter names in the ParameterInterceptor ref, > including the possibility to define RegExp patterns. The latter one is not > possible for the ParameterFilterInterceptor right now, which I think is a > feature we should add. > > Jelmer, would you mind creating an Jira issue for that? > https://issues.apache.org/struts/ > > - Rene > > > jelmer wrote: > >> Hi all, > >> > >> I was looking into an easy way to prevent people binding on fields they > >> shouldn't be binding on. > >> > >> Say you have a User object, you do not want people to be able to bind on > >> the > >> isAdmin property. > >> > >> Various people remommended using the ParameterFilterInterceptor for this > >> but > >> it seems to be flatout broken > >> > >> When you configure an action like this > >> > >> <action name="test" class="com.webapp.action.TestAction"> > >> <interceptor-ref name="param-namevalue-filter"> > >> <param name="blocked">name</param> > >> </interceptor-ref> > >> <interceptor-ref name="params"/> > >> </action> > >> > >> then this wont work : > >> > >> /test.action?name=myname > >> > >> but this does : > >> > >> /test.action?(name)=jelmer > >> > >> and so does this > >> > >> /test.action?((name))=jelmer > >> > >> And so on, infact it is impossible to block any parameter effectively > >> with > >> the ParameterFilterInterceptor. > >> > >> > >> Btw. I am aware that there is also the excludeParams method on the > >> ParametersInterceptor that accepts a regexp, so theoretically you could > >> use > >> this to block parameters effectively but it would be extremely hard to > >> write > >> a correct regexp for it. Also I havent found a way to configure both > >> params > >> interceptors in a paramsPrepareParamsStack. This will only configure the > >> first params interceptor in the stack > >> > >> <interceptor-ref name="clientCrudStack"> > >> <param name="params.excludeParams">some pattern</param> > >> </interceptor-ref> > >> > >> Struts really seems to be lacking in this area. > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
