[
https://issues.apache.org/jira/browse/WW-3499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17872277#comment-17872277
]
Kusal Kithul-Godage commented on WW-3499:
-----------------------------------------
The AnnotationParameterFilterInterceptor has now been replaced with the
@StrutsParameter capability which is integrated directly into
ParametersInterceptor. This new annotation does allow you to restrict the depth
to which a JavaBean is injected, but there is still no control over what fields
within a JavaBean are accessible which seems to be what you are requesting.
[~jafl5272] Could you expand on the use-case for this - why do you want to mix
user-controlled state with other state in your JavaBean? There should be a
clear separation between user-controlled state and application state - by
mixing them you're elevating the likelihood of introducing a security bug.
[~lukaszlenart] I'm leaning towards closing this as Won't Do, pending reporter
response.
> AnnotationParameterFilterIntereptor should support deep OGNL
> ------------------------------------------------------------
>
> Key: WW-3499
> URL: https://issues.apache.org/jira/browse/WW-3499
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Affects Versions: 2.2.1
> Reporter: John Lindal
> Priority: Major
> Fix For: 7.0.0
>
>
> The code already has a comment about enhancing the interceptor to match the
> start of an OGNL expression instead of only an exact parameter name. What it
> really needs, however, is to enhance the Allowed annotation to store a list
> of white-listed ONGL prefix expressions. This allows control over what parts
> of a bean may be modified, not just whether or not the entire bean can be
> modified.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
