struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Benedict <pbened...@apache.org>
Subject Re: Security judges
Date Thu, 10 Oct 2013 03:45:53 GMT
I like the idea except the Judge name. I think Authenticator is fine.


On Wed, Oct 9, 2013 at 3:21 PM, Steven Benitez <steven.benitez@gmail.com>wrote:

> Can you clarify how this would affect custom action mappers?
>
>
> On Wed, Oct 9, 2013 at 4:05 PM, Lukasz Lenart <lukaszlenart@apache.org
> >wrote:
>
> > Hi,
> >
> > Another idea is to add some logic to handle security aspects of the
> > framework in one place - it would be some kind of stack of interfaces
> > which will try to cleanup incoming request.
> >
> > For example:
> >
> > - ActionNameJudge#accept() will handle if action name match expected
> > pattern, the same what is already defined with constant in
> > DefaultActionMapper
> > - ParameterNameJudge#accept() will handle if given parameter name is
> > acceptable - the same what ParametersInterceptor do right now
> > - etc
> >
> > The idea is simple - have all the security related logic in one place
> > and to have it applied to the whole framework not to some parts, i.e.
> > someone will implement their own ActionMapper and won't escape/clear
> > action names as it is done in DefaultActionMapper, and so on.
> >
> > These handlers will be configured in struts-default.xml and user can
> > re-define them, additional judges, etc.
> >
> >
> > Regards
> > --
> > Ɓukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> >
>



-- 
Cheers,
Paul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message