> > In my apps I would not need to use any patterns. Just a list of methods, > > different for each action, would be enough for me. > > <global-allowed-methods/> per <package/> or <allowed-methods/> per <action/> >
That is great! Still looking forward to annotations, at least for actions :) > > What do you think about a config switch to enable/disable patterns for > > strict-dmi-method-names ? > > Originally there was such switch, disabled by default. I can restore > it back and set to true by default. > IMHO that makes sense as this whole thing is about security. And an explicit whitelist of what is allowed gives highest level of security. Apps that need patterns can still opt-in to use them. Regards, Christoph This Email was scanned by Sophos Anti Virus