Versions Compared

Old Version 11

changes.mady.by.user Bruce Phillips

Saved on

compared with

New Version 12

changes.mady.by.user Bruce Phillips

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This method will be called by the Struts 2 framework for each parameter in the request scope. By returning false if the parameter name contains "session" we are telling the Struts 2 framework to ignore that parameter. This will prevent a malicious user from trying to hack the HTTP session object.

Instead of having each action that implements SessionAware also implement the ParameterNameAware interface you can tell the params interceptor to exclude specific request attributes for all actions in a package. In struts.xml configure the struts-default set of interceptors as follows:

Code Block
XML
XML
titlestruts.xml configure params interceptor

	<package name="basicstruts2" extends="struts-default">

 		<interceptors>
	 		<interceptor-stack name="appDefault">
	        	 <interceptor-ref name="defaultStack">
	      			<param name="exception.logEnabled">true</param>
	      			<param name="exception.logLevel">ERROR</param>
	      			<param name="params.excludeParams">dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,parameters\...*</param>
	   			</interceptor-ref>
	 	    </interceptor-stack>
		</interceptors>
		
		<default-interceptor-ref name="appDefault" />

...