Finally I had some time to play with strict DMI again. Here some findings and thoughts:
- I realized that in current master branch strict DMI has no effect when actions are not configured in xml. I thought that would lead to no methods being allowed. - In strict-DMI branch it is same behavior. So I could not get the new annotation @AllowedMethods to have an effect. - When action is configured in xml without <allowed-methods> and annotated with @AllowedMethods there is just execute() available. - I could not find docs in wiki about the mechanism to invoke a method with a parameter name like "methd:<method-name>". But the feature got disabled along with DMI. So I think there should be info added to this page: http://struts.apache.org/docs/action-configuration.html Sample for first point (strict DMI has no effect with convention plugin) struts.xml: <package name="hello-pkg" namespace="/" extends="default" strict-method-invocation="true"> <!-- no action --> </package> <constant name="struts.convention.default.parent.package" value= "hello-pkg" /> Action: @Action("hello") public class HelloAction extends ActionSupport { // all methods can be invoked -> strict DMI has no effect // I would rather expect that just execute() is allowed in this case // and that more methods can be allowed with @AllowedMethods } Regards, Christoph > From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 04.09.2015 12:18 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > Added `strict-method-invocation` attribute back to allow disable the > Strict DMI mode. Also improved a bit how Strict DMI logic works, right > now it's as follow: > - <allowed-methods> / @AllowedMethods defined per action - Strict DMI > works without switching it on but just for those actions (plus adding > <global-allowed-methods/>) > - Strict DMI enabled but no <allowed-methods> / @AllowedMethods are > defined - Strict DMI works but only with <global-allowed-methods/> > - Strict DMI disabled - call to any action method is allowed (Regex: .*) > > Besides the above, each method defined in <action/>'s "method" > attribute is automatically allowed, the same for method marked with > @Action annotation. > > Also added support to allow define allowed methods with regex, just > use "regex:" prefix, ie. > <global-allowed-methods>execute,input,cancel,regex:user([A-Z]*)</ > global-allowed-methods> > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > PS. docs will be updated as soone we get consensus on this PR > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > This Email was scanned by Sophos Anti Virus
