Versions Compared

Old Version 10

changes.mady.by.user Bruce Phillips

Saved on

compared with

New Version 11

changes.mady.by.user Bruce Phillips

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This method will be called by the Struts 2 framework for each parameter in the request scope. By returning false if the parameter name contains "session" we are telling the Struts 2 framework to ignore that parameter. This will prevent a malicious user from trying to hack the HTTP session object. #Instead

  1. Instead of having each action that implements SessionAware also implement the ParameterNameAware interface you can tell the params interceptor to exclude specific request attributes for all actions in a package. In struts.xml configure the struts-default set of interceptors as follows:
Code Block
XML
XML
titlestruts.xml configure params interceptor

	<package name="basicstruts2" extends="struts-default">

 		<interceptors>
	 		<interceptor-stack name="appDefault">
	        	 <interceptor-ref name="defaultStack">
	      			<param name="exception.logEnabled">true</param>
	      			<param name="exception.logLevel">ERROR</param>
	      			<param name="params.excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*</param>
	   			</interceptor-ref>
	 	    </interceptor-stack>
		</interceptors>
		
		<default-interceptor-ref name="appDefault" />

...