struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Relph" <relp...@gmail.com>
Subject Re: action security
Date Fri, 29 Feb 2008 17:19:12 GMT
I was able to use the ParameterNameAware interface after all ... I needed to
rebuild my project, it wasn't updating in my workspace for some reason.

I have also created a new AnnontationParameterInterceptor, along with a
class-level annontation and a field-level annontation.  As of now, the
annotations just store a boolean value of whether to allow the field to be
set, and for the class, what the default policy is for object's fields.

Would anyone be interested in this code?  Would some of this go in the xwork
distribution?  I would like to add regular expression support to the
class-level annontation, but other than that, I prefer the annotations over
the interface/method.

On Thu, Feb 28, 2008 at 3:28 PM, Dave Newton <newton.dave@yahoo.com> wrote:

> --- Laurie Harper <laurie@holoweb.net> wrote:
> > That would require a getMailSender() on the action, wouldn't it? I'd
> > strongly suggest not having getters for 'sensitive' internals like that
>
> It's pretty typical to have a service injected like that, though. The
> issue
> here is that a sensitive configuration parameter is being trivially
> exposed
> via a Spring-settable property.
>
> > >> --- Brian Relph <relphie@gmail.com> wrote:
> > >>> So i guess this is a legitimate security concern.  Is there a
> > >>> cleaner way to do this?  Is there annotations support for it?
> > >> Not that I'm aware of.
>
> Have you solved your ParameterNameAware problem?
>
> I can't reproduce it; if I have a Spring-injected class (my test uses
> 'testService') with a property and my 'acceptableParameterName' method
> returns 'false' for parameters starting with the name of the service's
> parameter it's not being set.
>
> In other words, if the parameter name 'startsWith("testService")' I return
> false, the parameter in the service isn't being set on a request
> containing
> something like 'testService.senderName'.
>
> Dave
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Brian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message