2015-09-02 9:55 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> Probably a good idea to be strict, but I have lots of methods, only use
> DMI, so it may get to be a very long element.
>
> Maybe I could prefix all my required methods with something, ie with
> allowedPublish() allowedPublishNow() etc
>
> and use :
>
> <allowed-methods>regex:allowed(([A-Z]?)([a-z]+)?)</allowed-methods>
>
>
> I previously added a salt interceptor and went through changing all
> sensitive post methods to be one of the below,
>
> <interceptor-ref name="ActionSaltInterceptor">
> <param name="excludeMethods">*</param>
> <param name="includeMethods">save,delete,publish*,expire</param>
> </interceptor-ref>
>
> but on general methods there are many, and could be alot or work going
> through and updating all the screens etc. (no chaining actions)
>
> public void refresh() {..}
> public String query() {..}
> public String cancel() {..}
> public String cancelClosed() {..}
> public String cancelCurrent() {..}
> public String cancelOpen() {..}
> public String cancelOpenAuction() {..}
I have added <global-allowed-methods/> which can be defined per
<package/> and with regex support it shouldn't be so hard IMO. Also
with regex support you can define very wide regex to match most of the
methods.
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
