Lukasz:
Good idea on letting struts 2 developers know that instead of implementing
the ParameterNameAware interface that they can change the excludeParams
value as part of the package setup.
So I'll add to my code example:
<package name="basicstruts2" extends="struts-default">
<interceptors>
<interceptor-stack name="appDefault">
<interceptor-ref name="defaultStack">
true
ERROR
dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*
</interceptor-ref>
</interceptor-stack>
</interceptors>
<default-interceptor-ref name="appDefault" />
and include in the tutorial text both options.
Thanks for the help.
--
View this message in context:
http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5525787.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
