struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Security judges
Date Fri, 18 Oct 2013 06:53:15 GMT
2013/10/17 Paul Benedict <>:
> Throw an exception instead. If Struts has a default exception handler,
> translate the exception into a 403; but the goal is to give the user a
> chance to customize the response.

That's the problem .... exceptions handling is provided by an
interceptor, deep in execution chain and checking security at that
level can be too late :\

Right now I have added SecurityGate directly into Dispatcher and it
will block the whole request if something suspicious will be
discovered - and added two SecurityGuards, but they don't perform the
real check now. They're there just to show the idea. Please review if
it makes sense.

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message