I'm about to commit a fairly large patch that, among other things, adds built-in support for limiting what methods can be invoked on an Action. My motivation was actually to improve the ability for the REST plugin to introspect what HTTP methods are supported (automatic HTTP OPTIONS and WADL support), but I'd imagine the primary use will be as a security feature to prevent any arbitrary action being executed. The default behavior is to introspect the Action class during startup to get a list of all methods that can be executed. This allows, among other things, the config-browser plugin the ability to display exactly what methods are being automatically exposed to users.
My question is, how best should this capability be exposed? A couple of ideas: 1. A new property/constant titled 'struts.restrictToDeclaredMethod' that will instruct the ActionConfig (where the allowedMethods property lives) to only allow the method that is explicitly defined (defaults to 'execute'). If false, all methods will be allowed. 2. A new attribute on the <action> element called 'allowedMethods', which takes a comma-separated list of method names to allow 3. A new @ActionMethod annotation for the codebehind plugin that declares a method as callable I'm thinking about doing all three, but I'm not sure #2 is necessary. I want to minimize XML configuration as much as possible, and I'm not convinced #2 is worth the extra config. Any other ideas? Don --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]