struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Security judges
Date Fri, 18 Oct 2013 06:53:15 GMT
2013/10/17 Paul Benedict <pbenedict@apache.org>:
> Throw an exception instead. If Struts has a default exception handler,
> translate the exception into a 403; but the goal is to give the user a
> chance to customize the response.

That's the problem .... exceptions handling is provided by an
interceptor, deep in execution chain and checking security at that
level can be too late :\

Right now I have added SecurityGate directly into Dispatcher and it
will block the whole request if something suspicious will be
discovered - and added two SecurityGuards, but they don't perform the
real check now. They're there just to show the idea. Please review if
it makes sense.

https://issues.apache.org/jira/browse/WW-4227


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message