I must admit that I have not been focused too much on this list recently, so I might have missed this topic, but I was thinking on the solution to prevent security attacks on ww code that is potentially vulnerable for many things. I remember Pat described those problems as "ease of access". In fact - due to ease of access it's relatively easy to ommit serious security problems. In many cases it's tempting just to add more beans to your acctions that are exposed to ParameterInterceptor sometimes in a manner you just haven't thinked of.
I once proposed some patches to ParameterInterceptor to filter values that it passes using allow/deny regexp patterns. I'm using this solution for myself. However the con is that I'm still actively involved in creating security patterns. Humans are usually weakest links in security chains, so I'm trying to eliminate myself from the process of defining security by applying default "deny all" policy, then selectively opening only necessary things. So now I would propose to patch AbstractUITag to collect all 'name' attribute values in a well-known place. Then this information may be used by patched ParameterInterceptor to check what parameters are actually allowed to pass. -- Mike ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
