On Mon, 2006-07-24 at 21:27 -0400, Ted Husted wrote: > On 7/24/06, David Evans <[EMAIL PROTECTED]> wrote: > > I understand the security concerns, but the flexibility is far more > > important to me. If a user wants to protect themselves, they can make > > methods they don't want run by xwork private. Or maybe have an explicit > > list of <param name="excludeMethods">this,that,theOther</param>. > > The framework is as flexible as ever. Action alaises are still > supported. The only difference is that you can only declare the alias > in an action mapping, or use wildcards.
I think the action:name!method idiom is perfectly flexible. I was referring specifically to Bob's comments about securing the method names available for calling, by using struts tags which will assign a digest key to a map of method names. Bob said "I was hoping we'd store which methods are OK to invoke in the session or sign them or something". The question is, once the wildcard is set up in the struts.xml file, to allow the above idiom, how do you prevent the calling of a method on your action? because anyone can then type: http://www.domain.com/someaction?action:someaction!somemethod to try to run random methods. I am hoping that if any steps are taken to prevent that security hole, it will still allow the flexible wildcard usage. > Instead of > > MyDispatchAction!delete > > We define an action mapping > > <action name="delete" class="example.CrudAction" method="delete"> > > and call the delete acton directly, or simulate the same with wildcards. > > The URL aliases weren't more "flexible". Just lazy and unsecure. > > For the configuration-free crowd, I expect alias annotations are (or > will be) supported too. What would that look like? I don't know what is meant by alias annotations. dave > -Ted. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
