struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Laurie Harper <>
Subject Re: action security
Date Thu, 28 Feb 2008 20:20:11 GMT
Brian Relph wrote:
> Here is a better example of what i am concerned about ...
> I send emails in my application, and i use spring to configure a
> JavaMailSender - this has a getter/setter for the"from" email address ... as
> well, i use a singleton bean for this object (this is the spring default
> nowadays), so a malicious user could send in a form parameter for
> mailSender.fromEmail, and then every email that my application sends would
> be from whatever string the submitted ...

That would require a getMailSender() on the action, wouldn't it? I'd 
strongly suggest not having getters for 'sensitive' internals like that :-)

You might also want to consider breaking your action into two pieces: 
the action that handles exposing data to pages / reading input from 
users, and a 'service' class which holds references to DAOs and utility 
classes like JavaMailSender. That could greatly reduce the surface area 
of what is addressable through the action.


> I am implementing the ParameterNameAware interface in struts 2.0.11, and am
> checking doing parameterName.startsWith("mailSender") ? false : true;  --
> this is returning false, however, the value is still being set on my object,
> am i doing something wrong here?
> On Thu, Feb 28, 2008 at 10:35 AM, Dave Newton <> wrote:
>> --- Brian Relph <> wrote:
>>> So i guess this is a legitimate security concern.  Is there a
>>> cleaner way to do this?  Is there annotations support for it?
>> Not that I'm aware of.
>> Note that setting a DAO-style class with a string would most likely end in
>> an
>> exception.
>> Dave
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message