struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aleksandr-m <...@git.apache.org>
Subject [GitHub] struts issue #133: WW-4105 Considers config time class in actions chain
Date Sun, 23 Apr 2017 11:29:44 GMT
Github user aleksandr-m commented on the issue:

    https://github.com/apache/struts/pull/133
  
    > Not every.
    
    Remember that issue that you've submitted to security list? All actions are affected.
With this proposal `bean` attribute must be added to every action configuration in the application.
    
    > No, I think about S2 borders. I'm trying to discuss that S2 should or should not
know the config time class of the action and then do not operate outside of that border.
    
    Mostly it is job of the application developer to protect sensitive data (e.g. not writing
setter for `secretToken` property :), excluding some parameters, etc.). The real problem is
that for proxied stuff it is somehow obscure.
    
    > As I mentioned, when user uses class attribute as a bean name, S2 cannot know the
action configuration class in any clean way.
    
    Even if it is not a spring bean name then it can still be affected.
    They are good enough to handle most of the cases and they can be combined to achieve better
results.
    



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message