StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
20530078
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-12-11T21:15:51.327
FavoriteCount
0
LastActivityDate
2015-06-06T06:05:42.210
LastEditDate
2015-06-06T06:05:42.210
LastEditorUserId
2648077
OwnerUserId
2648077
ParentId
3337935
PostTypeId
2
Score
0
ViewCount
0
LastEditorDisplayName
text
Body
<blockquote> ModelDriven interceptor is blind </blockquote> Yes Model Interface could be a source of security issue, if you do not handle incoming parameters you will face security holes. You have to use parameter interceptor. In the struts.xml change your params interceptor as: <pre><code><interceptor-ref name="params"> <param name="excludeParams">\w+((\.\w+)|(\[\d+\])|($\d+$)|(\['\w+'\])|($'\w+'$))*</param> </interceptor-ref> </code></pre> Then in your action implement <code>ParameterNameAware</code> and write <code>acceptableParameterName</code>. <pre><code>public class sample implements ParameterNameAware(){ public boolean acceptableParameterName(String parameterName) { if (("username".equals(parameterName) || "firstname".equals(parameterName) || "lastname".equals(parameterName)) return true; else return false; } } </code></pre> The above is important, if your User pojo has lots of other properties and only some of them should be get from user. If you use lots of ModelDriven actions you can make it general. Create an base action which extends the <code>ParameterNameAware</code> . Then try to develop a general approach to have a list of your action and valid parameters : We used spring to read the list of actions and their acceptable parameters. In the spring xml we added: <pre><code><util:properties id="actionsValidParameters" location="classpath:/configs/actions-valid-parameters.properties" /> </code></pre> The <code>actions-valid-parameters.properties</code> is as : <pre><code>save-user=username,description,firstname,lastname save-address=zipcode,city,detail,detail.addLine1,detail.addLine2,detail.no </code></pre> Hint, If Address Object has an Detail object and you want to fill some properties in the Detail object, make sure you include the 'detail' in above list. The action is as <pre><code>public class BaseActionSupport extends ActionSupport implements ParameterNameAware { @Resource(name = "actionsValidParameters") public Properties actionsValidParameters; @Override public boolean acceptableParameterName(String parameterName) { String actionName = ActionContext.getContext().getName(); String validParams = (String) actionsValidParameters.get(actionName); //If the action is not defined in the list, it is assumed that the action can accept all parameters. You can return false so if the action is not in the list no parameter is accepeted. It is up to you! if(StringUtils.isBlank(validParams)) return true; // Search all the list of parameters. //You can split the validParams to array and search array. Pattern pattern = Pattern.compile("(?<=^|,)" + parameterName + "(?=,|$)"); Matcher matcher = pattern.matcher(validParams); boolean accepeted = matcher.find(); LOG.debug( "The {} parameter is {} in action {}, Position (excluding the action name) {} , {} , mathced {} ", parameterName, accepeted, actionName, matcher.start(), matcher.end(), matcher.group()); return accepeted; } } </code></pre> Now wrtie your actions as <pre><code> public class UserAction extends BaseActionSupport implements ModelDriven<User>{ } </code></pre>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. PODoes the ModelDriven interface poses a security explot in struts2?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USAlireza Fattahi
UserOwnerUserId
1. USAlireza Fattahi
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.