Added the same warning that appears in the ParametersInterceptor abou…

…t using ParameterNameAware to the JavaDoc for this interface git-svn-id: https://svn.apache.org/repos/asf/struts/struts2/trunk@1508075 13f79535-47bb-0310-9956-ffa450edef68
rt-jar · Jul 29, 2013 · 49d339f · 49d339f
1 parent 6cfc28b
commit 49d339f
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java b/xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParameterNameAware.java
@@ -22,6 +22,13 @@
  * ParametersInterceptor}. For example, actions may want to create a whitelist of parameters they will accept or a
  * blacklist of paramters they will reject to prevent clients from setting other unexpected (and possibly dangerous)
  * parameters.
+ * 
+ * Using {@link ParameterNameAware} could be dangerous as {@link ParameterNameAware#acceptableParameterName(String)} takes precedence
+ * over {@link ParametersInterceptor} which means if ParametersInterceptor excluded given parameter name you can accept it with
+ * {@link ParameterNameAware#acceptableParameterName(String)}.
+ *
+ * The best idea is to define very tight restrictions with ParametersInterceptor and relax them per action with
+ * {@link ParameterNameAware#acceptableParameterName(String)}
  *
  * <!-- END SNIPPET: javadoc -->
  *