struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Husted <hus...@apache.org>
Subject Re: Security issues with Struts
Date Tue, 02 Jul 2002 09:24:44 GMT
Marcel Kruzel wrote:
> Thanx for so many replies!
> 
> Precisely! the transactionToken does help if You
> want to detect multiple THE SAME submits. But this is not
> our issue here. If the second submit contains different values,
> the session scoped form bean will get populated
> before I am able to detect that there is a second
> submit! The handling (perform()) of the first
> submit will continue with wrong parameters!
> 

For the type of design that you are using, I would recommend placing
your own bean in the session scope, and then using the Actions to
populate it from the incoming ActionForms. This gives you a chance to
vet the input before it placed onto the bean you will be using to update
the business model.

If this is part of a workflow, you can use the bean you have placed in
the session scope to update any outgoing ActionForms with the current
values. This would allow you to use request-scope ActionForms without
bothering with any hidden fields and so forth.

-- Ted Husted, Husted dot Com, Fairport NY US
-- Java Web Development with Struts
-- Tel: +1 585 737-3463
-- Web: http://husted.com/about/services

--
To unsubscribe, e-mail:   <mailto:struts-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-dev-help@jakarta.apache.org>


Mime
View raw message