On 8/25/06, Ian Roughley <[EMAIL PROTECTED]> wrote:
I have to say that I still don't really understand why this is a security flaw. I can understand that calling any public method on a class may not be a good thing, but let's face it, actions are *meant* to be called via a URL. If there is a security issue - then it is an application security issue - because the method is NOT doing the required checks to ensure this is a valid request.
Good point. Why require an annotation when you can just not make your method public? If we're afraid users won't know about this feature and will accidentally leave methods public, more prominently document the feature. Bob
