Don, that sounds like a good idea. Using DispatchChainActions without a white-list of commands could throw the app into disarray easily by an astute hacker. At runtime, if the parameter is not found in the catalog, the class could throw the chains UnauthorizedActionException class.
Paul -----Original Message----- From: Don Brown [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 2:04 PM To: Benedict, Paul C Cc: [email protected] Subject: Re: DispatchChainAction (Struts 1.3) You raise a good point. Unfortunately, only one parameter can be passed through ActionMapping. DispatchChainAction really needs an "allowedCommands" parameter to specify what commands would be allowed. Perhaps we could use the new set/getProperty methods available in ActionConfig where allowedCommands could be specified. Don Benedict, Paul C wrote: > I noticed in Struts 1.3 there is a DispatchChainAction, and the parameter > attribute specifies the name of the chain to execute. Would somebody > consider that a security hole? It seems like anyone could arbitrarily > execute any chain command in the entire Struts app if they knew it -- unlike > a normal DispatchAction whose parameter is only relevant for that Action > class. > > Also, I hope there will be a MappingDispatchChainAction too. The > MappingDispatchAction is, in my opinion, the absolute best feature of Struts > 1.2 and secures the internals of the app better (i.e., not exposing method > names to the world). However, it seems that it would be impossible to > implement (currently) since the parameter attribute is already in use for > the chain command. > > Thanks, > Paul > > > ---------------------------------------------------------------------------- -- > Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. > ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ------------------------------------------------------------------------------ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
