Uploaded image for project: 'XWork'
  1. XWork
  2. XW-873

Add rtexprvalue or like attribute to param tag in xwork.xml

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.0.4
    • None
    • Configuration, Interceptors
    • None

    Description

      I believe it is a security issue with a pull-MVC framework such as XWork not to have a way (in Webwork specifically) of blocking parameters from being modifiable from the client browser. Otherwise, in a sense, many applications are relying upon the security of obscurity by assuming that the client will not know what the static parameters are that they could update.

      The basic idea is this. With the default XWork / Webwork set up, the StaticParametersInterceptor comes before the ParametersInterceptor. Thus, if you specify something as a static parameter in xwork.xml, it can easily be overriden by someone creating a hidden field in the form that they submit of the same name as their static parameter. Of course, we can deem this possibility unlikely, but it still means that most webwork applications would be using security through obscurity.

      The solution:

      Create an attribute called rtexprvalue, which defaults to true in the param tag for param tags whose parents are actions. Thus, in the xwork.xml, you would have something like:

      <action name="..." ....>
      <param name="numberOfPayments" rtexprvalue="false"/>
      </action>

      This would stop someone from editing, say the numberOfPayments field of a Customer bean. I think this is the easiest solution to implement because the rtexprvalue attribute name is familiar to many with jsp tags, because it is simplest, and because it is backwards compatable.

      Otherwise, I think this hole makes it very difficult to secure XWork / Webwork applications, and means if you want to do so, you have to move a ways away from the standard configuration IMHO unadvisable as a framework design practice.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              gjz22 Gabriel Zimmerman
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: