Hi,

In matter of security I wonder if we should stop using setters in
internal API. Like in SessionAware interface we use setSession() and
each actions must implement this method. Then we have a logic to avoid
mapping incoming values to setSession() to permit injecting values
into Session.

Instead setSession() we can use withSession() or applySession() - the
same can be applied to any *Aware interface.

This will take time, we can mark existing interfaces or methods as
deprecated and put new one as alternatives. Anyway, wdyt?


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to