----- Original Message ----- From: "Patrick Lightbody" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 24, 2004 1:06 AM Subject: RE: [OS-webwork] Security again
> Well, I'm not sure if you know, but method calls are disabled during > ParametersInterceptor, so I think that went a long way. I've seen that. But it doesn't solve all issues. The simplest case: I've got some Actions to work with "Account" beans. Account bean have some updatable properties, but also there are are properties that cannot be changed unless special condition is met like for example "balance" property. So the problem is that I have to put some restrictions on what properties can be set. It's so practical to attach this bean to action. But becouse of this security issues I don't use webwork's own ParametersInterceptor, and I created my own that is able to filter properties. > I like your idea of utilizing AbstractUITag to help figure out what are > "acceptable" names. We could, in the future, intimately tie the two > together to do this dynamically I suppose (though that would alienate > people not using the UI tag library). Of course - that would be configurable. In fact - even I don't use UI tags all the time. But that's just would be a useful feature. Currently I'm doing something very similiar but at design stage - to make sure that I configured my parameter firewall correctly, I use ant script to parse forms and find what names they contain. However it doesn't work nicely if names are generated at runtime. So - it's tempting to patch something.... -- Mike ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
