struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steven Benitez <steven.beni...@gmail.com>
Subject Re: Security judges
Date Wed, 09 Oct 2013 20:21:51 GMT
Can you clarify how this would affect custom action mappers?


On Wed, Oct 9, 2013 at 4:05 PM, Lukasz Lenart <lukaszlenart@apache.org>wrote:

> Hi,
>
> Another idea is to add some logic to handle security aspects of the
> framework in one place - it would be some kind of stack of interfaces
> which will try to cleanup incoming request.
>
> For example:
>
> - ActionNameJudge#accept() will handle if action name match expected
> pattern, the same what is already defined with constant in
> DefaultActionMapper
> - ParameterNameJudge#accept() will handle if given parameter name is
> acceptable - the same what ParametersInterceptor do right now
> - etc
>
> The idea is simple - have all the security related logic in one place
> and to have it applied to the whole framework not to some parts, i.e.
> someone will implement their own ActionMapper and won't escape/clear
> action names as it is done in DefaultActionMapper, and so on.
>
> These handlers will be configured in struts-default.xml and user can
> re-define them, additional judges, etc.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message