struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Security judges
Date Tue, 26 Nov 2013 07:16:55 GMT
As for now I will rollback my changes regarding this, maybe I will
come back to the idea in 2.3.17


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2013/10/18 Lukasz Lenart <lukaszlenart@apache.org>:
> 2013/10/17 Paul Benedict <pbenedict@apache.org>:
>> Throw an exception instead. If Struts has a default exception handler,
>> translate the exception into a 403; but the goal is to give the user a
>> chance to customize the response.
>
> That's the problem .... exceptions handling is provided by an
> interceptor, deep in execution chain and checking security at that
> level can be too late :\
>
> Right now I have added SecurityGate directly into Dispatcher and it
> will block the whole request if something suspicious will be
> discovered - and added two SecurityGuards, but they don't perform the
> real check now. They're there just to show the idea. Please review if
> it makes sense.
>
> https://issues.apache.org/jira/browse/WW-4227
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message