struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ing. Andrea Vettori" <m...@andreavettori.com>
Subject Re: [S2] Form Processing - Security - ParameterNameAware
Date Mon, 09 Jul 2007 20:13:40 GMT
Hi,

I think you can only have problems with parameter names that has  
public getter/setter in you action class.

Il giorno 09/lug/07, alle ore 22:09, Gunnar Hillert ha scritto:

>
> Hi,
>
> Bump...Nobody using the ParameterNameAware interface?
> Any responses would be highly appreciated.
>
> Thanks!
>
> Gunnar
>
>
> Gunnar Hillert wrote:
>>
>> Hi,
>>
>> I have a question regarding the ParametersInterceptor,  
>> specifically the
>> ParameterNameAware interface. Since Struts 2 is typically  
>> injecting the
>> form parameters into the action, I have some security concerns. It  
>> works
>> really great but I fear that malicious users could somehow inject  
>> other
>> parameters as well.
>>
>> Therefore, during my current project (Actually my first Struts 2  
>> project),
>> I made all actions implement the  ParameterNameAware interface.  
>> Then in
>> the acceptableParameterName method, I specified the permissible  
>> parameters
>> for the action. This really works nicely but here is my question:
>>
>> Is it generally a best practice to ALWAYS implement that interface  
>> when
>> processing forms? (Or am I just too paranoid?) What is the general
>> consensus on this issue? (I could not find too much information on  
>> this…)
>>
>> Lastly, instead of using the interface, would it be a good idea to  
>> have a
>> dedicated annotation for this?
>>
>> Thanks!
>>
>> Regards,
>>
>> Gunnar Hillert
>>
>>
>
> -- 
> View this message in context: http://www.nabble.com/-S2--Form- 
> Processing---Security---ParameterNameAware-tf3944023.html#a11509072
> Sent from the Struts - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

--
Ing. Andrea Vettori
Consulente per l'Information Technology



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message