Agreed - the best practice is to be very careful what you expose via getter/setters on your Action. Of course, if you still don't trust the interceptor, just use a custom stack that doesn't include it.
Don On 7/10/07, Ing. Andrea Vettori <[EMAIL PROTECTED]> wrote:
Hi, I think you can only have problems with parameter names that has public getter/setter in you action class. Il giorno 09/lug/07, alle ore 22:09, Gunnar Hillert ha scritto: > > Hi, > > Bump...Nobody using the ParameterNameAware interface? > Any responses would be highly appreciated. > > Thanks! > > Gunnar > > > Gunnar Hillert wrote: >> >> Hi, >> >> I have a question regarding the ParametersInterceptor, >> specifically the >> ParameterNameAware interface. Since Struts 2 is typically >> injecting the >> form parameters into the action, I have some security concerns. It >> works >> really great but I fear that malicious users could somehow inject >> other >> parameters as well. >> >> Therefore, during my current project (Actually my first Struts 2 >> project), >> I made all actions implement the ParameterNameAware interface. >> Then in >> the acceptableParameterName method, I specified the permissible >> parameters >> for the action. This really works nicely but here is my question: >> >> Is it generally a best practice to ALWAYS implement that interface >> when >> processing forms? (Or am I just too paranoid?) What is the general >> consensus on this issue? (I could not find too much information on >> this…) >> >> Lastly, instead of using the interface, would it be a good idea to >> have a >> dedicated annotation for this? >> >> Thanks! >> >> Regards, >> >> Gunnar Hillert >> >> > > -- > View this message in context: http://www.nabble.com/-S2--Form- > Processing---Security---ParameterNameAware-tf3944023.html#a11509072 > Sent from the Struts - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Ing. Andrea Vettori Consulente per l'Information Technology --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
