struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee Clemens" <j...@leeclemens.net>
Subject deserializable ActionSupport
Date Wed, 28 Oct 2009 05:11:56 GMT
Hello,

I (my IDE) noticed a warning showing that my Struts 2 Actions (they extend
com.opensymphony.xwork2.ActionSupport) may be deserialized, compromising
security.

The IDE (IntelliJ 8.1) further states that the class may be deserializable
as it supports the Serializable interface (ActionSupport does) and its
readObject() method is not defined to immediately throw an error.

Please excuse my naivety or if this is off-topic, but is this safe?
Furthermore, how can I override the readObject() method as suggested and
throw an error without compromising functionality within Struts?

As an aside, if this warning can safely be addressed, why doesn't
ActionSupport override readObject() to avoid this?

Thanks,
Lee



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message