Hi, Bump...Nobody using the ParameterNameAware interface? Any responses would be highly appreciated.
Thanks! Gunnar Gunnar Hillert wrote: > > Hi, > > I have a question regarding the ParametersInterceptor, specifically the > ParameterNameAware interface. Since Struts 2 is typically injecting the > form parameters into the action, I have some security concerns. It works > really great but I fear that malicious users could somehow inject other > parameters as well. > > Therefore, during my current project (Actually my first Struts 2 project), > I made all actions implement the ParameterNameAware interface. Then in > the acceptableParameterName method, I specified the permissible parameters > for the action. This really works nicely but here is my question: > > Is it generally a best practice to ALWAYS implement that interface when > processing forms? (Or am I just too paranoid?) What is the general > consensus on this issue? (I could not find too much information on this…) > > Lastly, instead of using the interface, would it be a good idea to have a > dedicated annotation for this? > > Thanks! > > Regards, > > Gunnar Hillert > > -- View this message in context: http://www.nabble.com/-S2--Form-Processing---Security---ParameterNameAware-tf3944023.html#a11509072 Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
