Difference between revisions of "Struts"

From OWASP
Jump to: navigation, search
(Author)
(Roles)
Line 22: Line 22:
 
==Security==
 
==Security==
 
===Roles===
 
===Roles===
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object.
+
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box. 
  
 
<pre>
 
<pre>

Revision as of 23:50, 14 January 2008

Contents

Status

Content to be finalised. First draft


Introduction

This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.

Architecture

The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.

Components

Action

  • No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.

ActionForm

Validation

  • Integration with commons validator

Configuration

Security

Roles

In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object. This is pretty much all that you get out of the box.

<action
     roles="administrator,contributor"
     path="/article/Edit"
     parameter="org.article.FindByArticle"
     name="articleForm"  
     scope="request">
       <forward
             name="success"
             path="article.jsp"/>
</action>