struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <>
Subject Re: action security
Date Thu, 28 Feb 2008 21:28:54 GMT
--- Laurie Harper <> wrote:
> That would require a getMailSender() on the action, wouldn't it? I'd 
> strongly suggest not having getters for 'sensitive' internals like that

It's pretty typical to have a service injected like that, though. The issue
here is that a sensitive configuration parameter is being trivially exposed
via a Spring-settable property.

> >> --- Brian Relph <> wrote:
> >>> So i guess this is a legitimate security concern.  Is there a
> >>> cleaner way to do this?  Is there annotations support for it?
> >> Not that I'm aware of.

Have you solved your ParameterNameAware problem?

I can't reproduce it; if I have a Spring-injected class (my test uses
'testService') with a property and my 'acceptableParameterName' method
returns 'false' for parameters starting with the name of the service's
parameter it's not being set.

In other words, if the parameter name 'startsWith("testService")' I return
false, the parameter in the service isn't being set on a request containing
something like 'testService.senderName'.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message