Probably a good idea to be strict, but I have lots of methods, only use
DMI, so it may get to be a very long element.
Maybe I could prefix all my required methods with something, ie with
allowedPublish() allowedPublishNow() etc
and use :
<allowed-methods>regex:allowed(([A-Z]?)([a-z]+)?)</allowed-methods>
I previously added a salt interceptor and went through changing all
sensitive post methods to be one of the below,
<interceptor-ref name="ActionSaltInterceptor">
<param name="excludeMethods">*</param>
<param name="includeMethods">save,delete,publish*,expire</param>
</interceptor-ref>
but on general methods there are many, and could be alot or work going
through and updating all the screens etc. (no chaining actions)
public void refresh() {..}
public String query() {..}
public String cancel() {..}
public String cancelClosed() {..}
public String cancelCurrent() {..}
public String cancelOpen() {..}
public String cancelOpenAuction() {..}
On 2 September 2015 at 08:09, Lukasz Lenart <lukaszlen...@apache.org> wrote:
> 2015-09-01 12:41 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> > The same way interceptors are configured, something like:
> >
> > <param name="includeMethods">publish*</param>
> >
> > public String publish() {..}
> > public String publishNow() {..}
>
> but maybe instead of such simple definition it'd be better to allow
> specify very strict regex, ie:
>
> <allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods>
>
> wdyt?
>
>
> Regards
> --
> Ćukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
>
>
