struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
Date Tue, 21 Feb 2012 14:09:51 GMT
I was researching the SessionAware interface as I'm planning on adding a
tutorial on how to use the HTTP Session object from within a Struts Action
class to the tutorials at: .

I ran across this
blog post  and Struts 2 JIRA
issue  that discuss a security vulnerability when using SessionAware.

I'd like to include in the tutorial the best practices for mitigating this
vulnerability.  Here is what I think programmers who use SessionAware in
their Action class should do to mitigate this vulnerability:

1.  Do not create a public Map<String, Object> getSession() method in the
Action class

2.  Also implement the ParameterNameAware interface and override its
acceptableParameterName method as follows:

      public boolean acceptableParameterName(String parameterName) {
		boolean allowedParameterName = true ;
		if ( parameterName.contains("session")  ||
parameterName.contains("request") ) {
			allowedParameterName = false ;
		return allowedParameterName;

I'd certainly appreciate any feedback on best practices to follow when
implementing the SessionAware interface and how to mitigate the security

Thank You,

Bruce Phillips


View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message