Hi, In matter of security I wonder if we should stop using setters in internal API. Like in SessionAware interface we use setSession() and each actions must implement this method. Then we have a logic to avoid mapping incoming values to setSession() to permit injecting values into Session.
Instead setSession() we can use withSession() or applySession() - the same can be applied to any *Aware interface. This will take time, we can mark existing interfaces or methods as deprecated and put new one as alternatives. Anyway, wdyt? Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org