Hi, I have a question regarding the ParametersInterceptor, specifically the ParameterNameAware interface. Since Struts 2 is typically injecting the form parameters into the action, I have some security concerns. It works really great but I fear that malicious users could somehow inject other parameters as well. Therefore, during my current project (Actually my first Struts 2 project), I made all actions implement the ParameterNameAware interface. Then in the acceptableParameterName method, I specified the permissible parameters for the action. This really works nicely but here is my question:
Is it generally a best practice to ALWAYS implement that interface when processing forms? (Or am I just too paranoid?) What is the general consensus on this issue? (I could not find too much information on this…) Lastly, instead of using the interface, would it be a good idea to have a dedicated annotation for this? Thanks! Regards, Gunnar Hillert -- View this message in context: http://www.nabble.com/-S2--Form-Processing---Security---ParameterNameAware-tf3944023.html#a11187846 Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
