Am 05.10.2015 um 16:43 schrieb Volker Krebs:
> Am 03.10.2015 um 09:35 schrieb Lukasz Lenart:
>> Hi,
>>
>> I have updated docs about the latest SMI addition:
>>
>> https://cwiki.apache.org/confluence/display/WW/Security#Security-StrictMethodInvocation
>> https://cwiki.apache.org/confluence/display/WW/Action+Configuration#ActionConfiguration-DynamicMethodInvocation
>>
>> wdyt?
>
>
> Looks good.
> I was able to run our application. Just had to white list some methods
> with the allowed-methods tag.
>
One thing,
when using extends the allowed-methods won't be merged.
Only the ones from action definition are used.
E.g.:
<package name="my-default" extends="struts-default">
<global-allowed-methods>m1,m2</global-allowed-methods>
</package>
<package name="my-app1" namespace="/app1" extends="my-default">
<action name="a1">
...
<allowed-methods>m3,m4</allowed-methods>
</action>
</package>
/app1/a1!m3.action is working.
/app1/a1!m1.action is *not* working.
I think it is ok, but should be clarified in the docs.
regards
Volker
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
