Return-Path: X-Original-To: apmail-struts-dev-archive@www.apache.org Delivered-To: apmail-struts-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7D397182DB for ; Thu, 8 Oct 2015 13:31:30 +0000 (UTC) Received: (qmail 83545 invoked by uid 500); 8 Oct 2015 13:31:30 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 83511 invoked by uid 500); 8 Oct 2015 13:31:30 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 83498 invoked by uid 99); 8 Oct 2015 13:31:29 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Oct 2015 13:31:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 85D70180E1A for ; Thu, 8 Oct 2015 13:31:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.971 X-Spam-Level: *** X-Spam-Status: No, score=3.971 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=3, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id IEMyX9h9n9TK for ; Thu, 8 Oct 2015 13:31:20 +0000 (UTC) Received: from iron2.lex-com.net (smtp5.lex-com.net [193.159.191.10]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 27E87429AA for ; Thu, 8 Oct 2015 13:31:19 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.17,654,1437429600"; d="scan'208";a="42568063" Received: from unknown (HELO mucle03.lex-com.net) ([10.89.20.108]) by iron2.lex-com.net with ESMTP; 08 Oct 2015 15:31:18 +0200 In-Reply-To: References: To: "Struts Developers List" MIME-Version: 1.0 Subject: Re: Secure parameters X-KeepSent: 67ED784E:E59E725E-C1257ED8:004984B2; type=4; name=$KeepSent X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011 Message-ID: From: Christoph Nenning Date: Thu, 8 Oct 2015 15:30:28 +0200 X-MIMETrack: Serialize by Router on MUCLE03/Lexcom_Muenchen/LEXCOM(Release 9.0.1FP4|June 07, 2015) at 08.10.2015 15:31:20, Serialize complete at 08.10.2015 15:31:20 Content-Type: multipart/alternative; boundary="=_alternative 004A46EFC1257ED8_=" --=_alternative 004A46EFC1257ED8_= Content-Type: text/plain; charset="US-ASCII" > From: Lukasz Lenart > To: Struts Developers List , > Date: 06.10.2015 08:28 > Subject: Secure parameters > > Hi, > > I have started on introducing typed parameters instead of a Map of > objects as we have right now [1]. Basically I am trying to introduce a > dedicated class which will represent HTTP parameters [2]. This isn't > finished yet as I need to figure out how to handle pushing objects > onto parameters (ie. FileuploadInterceptor is pushing files [3]) - the > problem is that HTTP params are arrays of strings but we have used it > internally to "transport" other objects. > > Any insights welcome :) > > [1] https://github.com/apache/struts/pull/53 > [2] https://github.com/apache/struts/pull/53/files#diff-12 > [3] https://github.com/apache/struts/pull/53/files#diff-18 > > Basically I love the idea to have some more meta data about each parameter. I would expect new 'Parameter' interface would provide a method like 'isExternal()' or 'isUserProvided()' but maybe this is yet to come ;) > as I need to figure out how to handle pushing objects > onto parameters One way could be to add methods like these to 'Parameter': Object getValueNonString() Object[] getValuesNonString() boolean hasValueNonString() Most places dealing with parameters just need Strings. They can use methods 'getValue()' and 'getMultipleValue()' and don't need to cast. Those few places that need other types than Strings can use 'NonString' methods and have to cast on their own. Regards, Christoph This Email was scanned by Sophos Anti Virus --=_alternative 004A46EFC1257ED8_=--