Rick Reumann <[EMAIL PROTECTED]> wrote: > *Without using Javascript to swap out the form Action name, I'm curious > how you guys accomplish using multiple buttons for a form without the > use of a DispatchAction?*
> You could of course submit to one regular Action that will look at the > parameters but then you end up doing what a DispatchAction does. This is the approach I decided on. Downsides are that they're somewhat hardcoded into each action. Upsides include better security and no "base class" multiple inheritance issues. > You could use Javascript to swap out the action name for the form (not a bad > approach really. I was doing this). Requires that your end users have javascript enabled. In my opinion, javascript should enhance an application if available, but not be a necessity. > What I do like about the SimpleDispatchAction is it does make things > 'simple' you have one consistent way to handle all scenarios. > > In reference to the security issues of passing in exposed names of > non-trivial Java methods in URLs, I agree this is a problem. Yeah, and this is the reason why, although I like the simplicity of SimpleDispatchAction, I will probably never use it. Any time you allow an end user an opportunity to specify a parameter for reflection, you're introducing security concerns. However, a "secure" version could be created by only allowing a dispatch to a hardcoded list of methods. > But don't you run into the same problem using regular Actions? Your Action name > itself if going to give a way what you are trying to accomplish (ie > /udpateEmployee.do) Not relevent to my situation. We require a WebObjects-like page state cache to handle backtracking issues. Thus our URLs end up looking like http://xxxx.com:7777/ebpp/duSRSod7x598ZkHOQ16p1spKaMzS3yj1Dj_1.1.psc and contain no user-meaningful information. This allowed me to get rid of two of the three struts security issues I identified when first using the technology: - all pages are "random-access" accessible - page-scope variables are passed back to the client between requests and are subject to alteration Downside is that you have to add your own bookmarking scheme (could be as simple as &bookmark=x appended to the end) if you care about that. Other downside is that you have develop a page state servlet :) but that took less than a week. -Mike --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
