Details
Major Description
In the parameters map available in the context, get or post parameters can override session and application attributes.
The way to create the parameters map is the following in UtilHttp.getCombinedMap :
combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
combinedMap.putAll(getParameterMap(request)); // parameters override session
combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
I understand that session can override application attributes, but I dont understand why Parameters can override them.
For example if you try the following :
https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
I propose to do the following instead :
combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
What do you think ?
[from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]