[
https://issues.apache.org/struts/browse/WW-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44558#action_44558
]
Musachy Barroso commented on WW-2760:
-------------------------------------
I think it is good to have it as an option, but the implementation suffers from
the same security vulnerability as WW-2761. It assumes that the field names
will be plain names, and not OGNL expressions. This could be re-implemented
adding the annotations check to
com.opensymphony.xwork2.ognl.SecurityMemberAccess in xwork (trunk only), and
would not require another interceptor.
> Annotation-based Parameters Interceptor
> ---------------------------------------
>
> Key: WW-2760
> URL: https://issues.apache.org/struts/browse/WW-2760
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.0.11.2
> Reporter: Brian Relph
> Assignee: Musachy Barroso
> Priority: Minor
> Attachments: AcceptParameter.java, AcceptParameters.java,
> AnnotationParametersInterceptor.java, AnnotationParametersInterceptorTest.java
>
>
> Annotation-based parameters interceptor. Extends ParametersInterceptor, and
> allows you to annotate both the class (for the default accept policy for
> parameters), and each property individually (that will override the class
> annotation).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
