Stripes

Allow sourcePage to be encrypted

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: Release 1.5
  • Component/s: Tag Library
  • Labels:
    None

Description

We ussually have all JSP's that can't be accessed without going through an ActionBean stored under /WEB-INF
It would be nice if the _sourcePage parameter could be encrypted (like fieldsPresent) so that the internal structure isn't visible to the enduser. No reason to disclose more than necessary

/Jeppe

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Dan Batten added a comment - 14/Aug/06 5:27 PM

I agree, this is enough for our security guys to stop a project from going into production. So, it's a showstopper for me in terms of recommending it to be used, which is unfortunate as Stripes is a great framework.

Show
Dan Batten added a comment - 14/Aug/06 5:27 PM I agree, this is enough for our security guys to stop a project from going into production. So, it's a showstopper for me in terms of recommending it to be used, which is unfortunate as Stripes is a great framework.
Hide
Permalink
Kevin Wang added a comment - 14/Aug/06 5:44 PM

I agree too. And I suggest adding a hashtable in server side which keeps all _sourcePage value instead of encrypting.

Show
Kevin Wang added a comment - 14/Aug/06 5:44 PM I agree too. And I suggest adding a hashtable in server side which keeps all _sourcePage value instead of encrypting.
Hide
Permalink
Ben Gunter added a comment - 23/Aug/07 8:42 PM

I've been thinking for a while that we need a mechanism for encrypting any value that is to be passed back to the server. For example, if you allow a numeric ID to load an object from a database, you don't want somebody to be able to just poke any value in there that they want.

Show
Ben Gunter added a comment - 23/Aug/07 8:42 PM I've been thinking for a while that we need a mechanism for encrypting any value that is to be passed back to the server. For example, if you allow a numeric ID to load an object from a database, you don't want somebody to be able to just poke any value in there that they want.
Hide
Permalink
Ben Gunter added a comment - 11/Jan/08 11:08 PM

Fixed for 1.5. The _sourcePage parameter is always encrypted before it is written. Easy access to the plaintext value is provided by the new ActionBeanContext.getSourcePage() method.

Show
Ben Gunter added a comment - 11/Jan/08 11:08 PM Fixed for 1.5. The _sourcePage parameter is always encrypted before it is written. Easy access to the plaintext value is provided by the new ActionBeanContext.getSourcePage() method.

People

Vote (6)
Watch (1)

Dates

  • Created:
    02/Mar/06 6:00 AM
    Updated:
    04/Jan/11 2:13 PM
    Resolved:
    11/Jan/08 11:08 PM
Atlassian JIRA (v4.2#587) | Report a problem
Powered by a free Atlassian JIRA open source license for Stripes Framework. Try JIRA - bug tracking software for your team.