[
https://issues.apache.org/jira/browse/WW-4751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15933412#comment-15933412
]
Yasser Zamani commented on WW-4751:
-----------------------------------
I am working on this :)
> Struts2 should know and consider config time class of user's Actions
> --------------------------------------------------------------------
>
> Key: WW-4751
> URL: https://issues.apache.org/jira/browse/WW-4751
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Yasser Zamani
> Priority: Minor
> Fix For: 2.5.next
>
>
> I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this
> information i.e. config time class of user's action.
> I also know future issues like below are possible or potential to occur when
> Struts2 give Actions up to an object factory and, himself does not know any
> more about Action's real class (i.e. when user set className to a bean name
> inside his object factory):
> * JSONResult will fail or will generate ugly json when the action is an AOPed
> proxy. Because JSONResult tries to generate json from un-relevant information
> like advices and etc.
> * In a security point of view, someone may successfully change that action
> proxy or aop information simply by calling that action submitting some named
> parameters.
> I know these are solvable by enforcing user to specify includes/excludes
> parameters but more better and beauty approach is as below:
> (proxied action) -> ... -> (some subclass of action) -> ... -> (*user config
> time specified class*) -> ... -> (some superclass of action) -> ... ->
> Struts2's ActionSupport -> ...
> If we suppose the above as type hierarchy of the action, knowing *user config
> time specified class*, Struts2 can exclude all sub-classes above this class
> and all super classes under and including ActionSupport in all sensitive
> places to avoid potential future issues.
> What do you think? :)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
