Oh yes, that sounds like a great idea!
I wonder why we didn't come up with this earlier, the simplest ideas are the 
hardest to find ;)

My preference would be the name withSession.


Regards,
Christoph



-----Ursprüngliche Nachricht-----
Von: Lukasz Lenart [mailto:lukaszlen...@apache.org] 
Gesendet: Mittwoch, 19. September 2018 08:50
An: Struts Developers List <dev@struts.apache.org>
Betreff: Avoid using setters

Hi,

In matter of security I wonder if we should stop using setters in
internal API. Like in SessionAware interface we use setSession() and
each actions must implement this method. Then we have a logic to avoid
mapping incoming values to setSession() to permit injecting values
into Session.

Instead setSession() we can use withSession() or applySession() - the
same can be applied to any *Aware interface.

This will take time, we can mark existing interfaces or methods as
deprecated and put new one as alternatives. Anyway, wdyt?


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to