I'm about to commit a fairly large patch that, among other things,
adds built-in support for limiting what methods can be invoked on an
Action.  My motivation was actually to improve the ability for the
REST plugin to introspect what HTTP methods are supported (automatic
HTTP OPTIONS and WADL support), but I'd imagine the primary use will
be as a security feature to prevent any arbitrary action being
executed.  The default behavior is to introspect the Action class
during startup to get a list of all methods that can be executed.
This allows, among other things, the config-browser plugin the ability
to display exactly what methods are being automatically exposed to
users.

My question is, how best should this capability be exposed?  A couple of ideas:

1. A new property/constant titled 'struts.restrictToDeclaredMethod'
that will instruct the ActionConfig (where the allowedMethods property
lives) to only allow the method that is explicitly defined (defaults
to 'execute').  If false, all methods will be allowed.

2. A new attribute on the <action> element called 'allowedMethods',
which takes a comma-separated list of method names to allow

3. A new @ActionMethod annotation for the codebehind plugin that
declares a method as callable

I'm thinking about doing all three, but I'm not sure #2 is necessary.
I want to minimize XML configuration as much as possible, and I'm not
convinced #2 is worth the extra config.

Any other ideas?

Don

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to