2014-01-29 Manuel López Blasi <lopezbl...@conicet.gov.ar>: > Thanks again Lukasz, > > for question 1) Security issues: can you recommend some > modifications/actions/alterations in maybe certain > parts of the code, any advice on weak points we can focus in regardings > security issues?
You must implement custom authentication mechanism built-in your app - like SecurityInterceptor or Basic action which will check if user is logged in. Do not depend only on container authentication mechanism. > for question 2)Prepare interceptor: So there's no way of remove the > "prepare" prefix? Maybe other implementation of > that Interceptor? It is, it depends on your needs, you can change default stack configuration - read about stacks in Struts. And when do you see that the prepareXXX method is called? In logs? In debug mode? Why do think it is a problem? I think you missed out how Prepare interceptor is working and what's its duty. Read about it in the docs. > At this point my intention is to make a compromise between security and > usability. Right now we are exposed cause we're using > and old version of the framework but on the other hand the refactor required > to comply with the last version it's just too much. > I'm aiming at use the last version 2.3.16 with action.prefix enabled and try > to add security elements in our code in the hope of > preventing attacks. > > I know certain data can't be shared though this mailing list as it would > expose vulnerabilities, maybe we can talk through > other chanel, personal email maybe? It would really help us if you could > tell me some guidelines. Still, I cannot share more than is exposed via source code and commits' history in repository - that's the law :-) Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
