Return-Path: X-Original-To: apmail-struts-dev-archive@www.apache.org Delivered-To: apmail-struts-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0890E10677 for ; Wed, 9 Oct 2013 20:22:22 +0000 (UTC) Received: (qmail 8287 invoked by uid 500); 9 Oct 2013 20:22:21 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 8239 invoked by uid 500); 9 Oct 2013 20:22:21 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 8231 invoked by uid 99); 9 Oct 2013 20:22:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Oct 2013 20:22:21 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of steven.benitez@gmail.com designates 209.85.160.53 as permitted sender) Received: from [209.85.160.53] (HELO mail-pb0-f53.google.com) (209.85.160.53) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Oct 2013 20:22:12 +0000 Received: by mail-pb0-f53.google.com with SMTP id up15so1445220pbc.26 for ; Wed, 09 Oct 2013 13:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=qwqTxE+Rh4cx+izP1BsKucEeUeZDOcoXiDyna8Ki4B4=; b=d9fvnwc7eJOsHu0e6AOpJzFlnt5cQUFcY7kTCz3TVo/SE//3ZQ18lKpfg1usf/mwqS 2KWqlx8773+u8foRSjgpGDDwYDYG5gAJ04AR5LU+8UtoZIdlT36x2vFU+dkMP5sj6Lul 6MGxA+el89bl8bdp67nHO1IN2GIUA1b4ARMzEf8G5C39YXYehMKmvf+ZU1ZRgPnodZ4b V04m8wf06FGD+cxApvuIpC2hV8NRWH+NNb5BCdWFYBC28pjBFq1q1p9fywW/D6IlhabX pHIVFRptBh0JchLJkMRdMN87ZDbmM8gPK0F2zcFRTaiPljNf+SnDIMOeof9k3UbEPIBY KhQw== MIME-Version: 1.0 X-Received: by 10.67.23.199 with SMTP id ic7mr11652185pad.73.1381350111092; Wed, 09 Oct 2013 13:21:51 -0700 (PDT) Received: by 10.70.41.102 with HTTP; Wed, 9 Oct 2013 13:21:51 -0700 (PDT) In-Reply-To: References: Date: Wed, 9 Oct 2013 16:21:51 -0400 Message-ID: Subject: Re: Security judges From: Steven Benitez To: Struts Developers List Content-Type: multipart/alternative; boundary=001a11343f7eaeaeaa04e854a257 X-Virus-Checked: Checked by ClamAV on apache.org --001a11343f7eaeaeaa04e854a257 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Can you clarify how this would affect custom action mappers? On Wed, Oct 9, 2013 at 4:05 PM, Lukasz Lenart wrot= e: > Hi, > > Another idea is to add some logic to handle security aspects of the > framework in one place - it would be some kind of stack of interfaces > which will try to cleanup incoming request. > > For example: > > - ActionNameJudge#accept() will handle if action name match expected > pattern, the same what is already defined with constant in > DefaultActionMapper > - ParameterNameJudge#accept() will handle if given parameter name is > acceptable - the same what ParametersInterceptor do right now > - etc > > The idea is simple - have all the security related logic in one place > and to have it applied to the whole framework not to some parts, i.e. > someone will implement their own ActionMapper and won't escape/clear > action names as it is done in DefaultActionMapper, and so on. > > These handlers will be configured in struts-default.xml and user can > re-define them, additional judges, etc. > > > Regards > -- > =C5=81ukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org > For additional commands, e-mail: dev-help@struts.apache.org > > --001a11343f7eaeaeaa04e854a257--