struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Regarding latest struts 2.3.x changes and issues with DMI and Wildcards
Date Thu, 30 Jan 2014 05:57:34 GMT
2014-01-29 Manuel López Blasi <lopezblasi@conicet.gov.ar>:
> Thanks again Lukasz,
>
> for question 1) Security issues: can you recommend some
> modifications/actions/alterations in maybe certain
> parts of the code, any advice on weak points we can focus in regardings
> security issues?

You must implement custom authentication mechanism built-in your app -
like SecurityInterceptor or Basic action which will check if user is
logged in. Do not depend only on container authentication mechanism.

> for question 2)Prepare interceptor:  So there's no way of remove the
> "prepare" prefix? Maybe other implementation of
> that Interceptor?

It is, it depends on your needs, you can change default stack
configuration - read about stacks in Struts. And when do you see that
the prepareXXX method is called? In logs? In debug mode? Why do think
it is a problem?

I think you missed out how Prepare interceptor is working and what's
its duty. Read about it in the docs.

> At this point my intention is to make a compromise between security and
> usability. Right now we are exposed cause we're using
> and old version of the framework but on the other hand the refactor required
> to comply with the last version it's just too much.
> I'm aiming at use the last version 2.3.16 with action.prefix enabled and try
> to add security elements in our code in the hope of
> preventing attacks.
>
> I know certain data can't be shared though this mailing list as it would
> expose vulnerabilities, maybe we can talk through
> other chanel, personal email maybe? It would really help us if you could
> tell me some guidelines.

Still, I cannot share more than is exposed via source code and
commits' history in repository - that's the law :-)


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message