2014-01-30 Manuel López Blasi :
> Lukasz: As i told to Eric i think we're gonna implement some additional
> security checking mechanism, maybe a last Interceptor in the stack, we'll
> see.
>
> "for question 2)Prepare interceptor: So there's no way of remove the
> "prepare" prefix? Maybe other impl
Thank you very much to all of you for taking the time answer my
questions, i have a clearer view of my situation now,
Eric: I believe i understand your point , it's best for security
related stuff to be taylored for each individual project needs,
there's no way to be 100% sure of one's invuln
2014-01-30 Fabian Richter :
> Am 30.01.2014 06:57, schrieb Lukasz Lenart:
>
>> Do not depend only on container authentication mechanism.
>>
>
> So you would discourage the use of like Spring Security as a sole
> authentication mechanism? Why?
You missed out the context - action: prefix vulnerabili
Am 30.01.2014 06:57, schrieb Lukasz Lenart:
Do not depend only on container authentication mechanism.
So you would discourage the use of like Spring Security as a sole
authentication mechanism? Why?
Best
Fabian
smime.p7s
Description: S/MIME Cryptographic Signature
Code has parent[s] (just like our childrens) that takes special care of it.
But code influence (positive or negative) is spread among all people.
Open Licenses (like Apache2) code is expecially because let everybody
of us to "adopt" or contribute to "a code".
Moreover code is developed not only
2014-01-29 Eric Reed :
> Security has, and should be an open arrangement between developers and
> the clients for which they develop code.
>
> This relationship is as follows:
>
> 1. I detect an exploit in YOUR code.
>
> 2. I inform you of the exploit along with a proof of concept.
>
> 3. I give yo
2014-01-29 Manuel López Blasi :
> Thanks again Lukasz,
>
> for question 1) Security issues: can you recommend some
> modifications/actions/alterations in maybe certain
> parts of the code, any advice on weak points we can focus in regardings
> security issues?
You must implement custom authenticat
Security has, and should be an open arrangement between developers and
the clients for which they develop code.
This relationship is as follows:
1. I detect an exploit in YOUR code.
2. I inform you of the exploit along with a proof of concept.
3. I give you time to release a patch and notify
Thanks again Lukasz,
for question 1) Security issues: can you recommend some
modifications/actions/alterations in maybe certain
parts of the code, any advice on weak points we can focus in regardings
security issues?
for question 2)Prepare interceptor: So there's no way of remove the
"prepa
2014-01-29 Manuel López Blasi :
> 1) Having the action.prefix enabled there's no intereference in the
> securyity fixes introduced in the last versions, it should be all fully
> working isn't it?
> We have Dynamic Method Invocation disabled.
No, action: prefix can be dangerous but it depends on se
Lukasz ,
first of all thanks a lot for this hint, that is what was causing the
submit buttons not to respond in the way i was expecting,
it now fires up the method specified in the action attribute. It saved
us a lot of work not to say that we were about to ditch the upgrade
completely.
I ha
As from 2.3.15.2 action: prefix is disabled by default (this is how
is rendered), to enable it you must add the
below constant to struts.properties or struts.xml:
### Disables support for action: prefix
struts.mapper.action.prefix.enabled = false
Regards
--
Łukasz
+ 48 606 323 122 http://www.l
12 matches
Mail list logo
