Il giorno 03/dic/07, alle ore 08:48, Don Brown ha scritto:
On 12/3/07, Ing. Andrea Vettori [EMAIL PROTECTED] wrote:
I'm happy to know that a complete solution is being planned/
developed.
I just say that if the security problem is caused only by bad
programming practice, removing EL
As someone mentioned, do we want to bundle both under different URIs?
We could keep the paranoid/safe one as the default, and use a URI like
struts-tags-rt for the one that allows all runtime expressions. To use
the other, we can change one line at the top of the file to opt in.
-Ted.
On Dec
I tried using the example application (struts2-blank-2.0.11.war) and it
working fine using package_es.properties and package.properties, that is I
getting the messages in the right language.
I get the same result using package_fr.properties rather than
package_es.properties.
But if I rename the
Tom,
I don't really know what to think about making a yet new Struts2 oriented
toward JRuby on Rails but I'm sure working on a better integration between
JRuby on Rails and legacy J2EE frameworks such as Struts2 would be indeed
useful.
Some think Rails succeeded mainly because of
I'm not 100% on the specification, but isn't this case what the delayed
evaluation is for?
-bp
Adam Hardy wrote:
Oh I see. The JSP standard specifies real-time expression evaluation
with EL when declared in the TLD for evaluation by the servlet
container, and OGNL is only evaluated by tag
Tom Schneider wrote:
I agree, I think it would be interesting to create a plugin that gives
us a seamless full stack: Struts2/Spring/JPA or Struts2/Guice/JPA.
As an aside, I've been working on a framework originally called Vertigo
and now called JCatapult (jcatapult.org) that is a full stack
SmokeTheSun wrote:
Hi,
Iam working in Struts1.2 application development. In that i want to restrict
direct access(through URL) for jsp pages or by calling .do action.
Specifically unauthenticated user must not access any pages.
Can you give the idea(s)..
Thanks,
Please ask this
Hi,
Iam working in Struts1.2 application development. In that i want to restrict
direct access(through URL) for jsp pages or by calling .do action.
Specifically unauthenticated user must not access any pages.
Can you give the idea(s)..
Thanks,
--
View this message in context:
The case I know of is anytime an OGNL expression is the value of a JSP
EL expression that the user has control of. This could be in the
session, request, or context from what I can think of. Usually it is a
parameter that is being passed in like this:
Perhaps this can be remedied by adding a switch to each struts tag whereby if
the switch is high, then ognl is not evaluated inside the tag:
s:text key=${jspEL} eval=false /Since the nature of this problem concerns
the expressive power of ognl (calling methods), this approach wouldn't penalize
I agree this is a problem. I haven't been able to find the Struts 2 source
code (and javadocs) in the repos myself.
Paul
On Dec 3, 2007 2:04 PM, Tomislav Stojcevich [EMAIL PROTECTED] wrote:
Can somebody please manually upload the source jars to the maven repo.
See the following issues:
I don't know how relevant it is to the conversation or how awful it's going
to be trying to do it but I did plan on taking a stab at creating a new
unified-el compatible grammar for OGNL when I do my big IoC-friendly
re-factor. (probably a 2.7.3 release kind of change)
Since jboss and others
Hi,
I submitted a bug fix patch about three weeks ago and it seems like it was
approved and never committed (WW-2094 and WW-2300). I know everyone's busy,
but it seems like those issues on the JIRA are being ignored. Another patch
(WW-2240) has been ignored as well. I've got a much more recent
Normal Maven procedure would just entail sticking -DperformRelease=true
on the end to generate source and javadoc jars.
mvn deploy -DperformRelease=true
Does performing a Struts 2 release require doing something non-maven
standard?
- Original message -
From: Ted Husted [EMAIL
I'll be heads-down until at least December 19th, but I should be able
to start appying patches again by the end of the year.
It's not that they are being ignored, it's just, as you say, that no
one has time. Struts is still an all-volunteer project, and everyone
has some other full time job.
Unfortunately, I have no idea how to fix it. My setup here isn't quite
right, and it might have something do with it. The exact steps we
follow are here:
* http://struts.apache.org/2.x/docs/creating-and-signing-a-distribution.html
I know Antonio has been working on it, and if he, or someone
Also I believe the maven-release-plugin (if you use it) forks with
-DperformRelease=true
Paul
On Dec 3, 2007 4:20 PM, Martin Gilday [EMAIL PROTECTED] wrote:
Normal Maven procedure would just entail sticking -DperformRelease=true
on the end to generate source and javadoc jars.
mvn deploy
Well, I am definitely interested in this. I had no idea this was being
planned. (I'll have to pop over to the OGNL site more often now) It
definitely would be good for us to keep in sync since we may be
duplicating efforts. My work thus far has been mostly a Proof of
Concept, so I haven't
Please move this discussion to the user list.
Thanks,
Dave
--- giglian [EMAIL PROTECTED] wrote:
I tried using the example application
(struts2-blank-2.0.11.war) and it
working fine using package_es.properties and
package.properties, that is I
getting the messages in the right language.
--- Martin Gilday [EMAIL PROTECTED] wrote:
I think having erb (is that right?) views
We do; they're called scriptlets. Erb is a step
backwards from anything I want to be involved with.
To answer somebody else's question: the reason to use
a different framework besides JRoR with JRuby is
because
I felt bad about the jsp f-job that your tags went through and have some dim
hope that maybe Howard will use it in T5 since he seems to be leaning more
towards jsf friendly spec -like things. Haven't posted anything about this
anywhere else except in a private email to Drew/Patrick though.
21 matches
Mail list logo