Finally I had some time to play with strict DMI again. Here some findings 
and thoughts:


- I realized that in current master branch strict DMI has no effect when 
actions are not configured in xml. I thought that would lead to no methods 
being allowed.

- In strict-DMI branch it is same behavior. So I could not get the new 
annotation @AllowedMethods to have an effect.

- When action is configured in xml without <allowed-methods> and annotated 
with @AllowedMethods there is just execute() available.

- I could not find docs in wiki about the mechanism to invoke a method 
with a parameter name like "methd:<method-name>". But the feature got 
disabled along with DMI. So I think there should be info added to this 
page: http://struts.apache.org/docs/action-configuration.html



Sample for first point (strict DMI has no effect with convention plugin)


struts.xml:

<package name="hello-pkg" namespace="/" extends="default" 
strict-method-invocation="true">

        <!-- no action --> 

</package>
<constant name="struts.convention.default.parent.package" value=
"hello-pkg" />



Action:

@Action("hello")
public class HelloAction extends ActionSupport {

// all methods can be invoked -> strict DMI has no effect
// I would rather expect that just execute() is allowed in this case
// and that more methods can be allowed with @AllowedMethods

}




Regards,
Christoph





> From: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>, 
> Date: 04.09.2015 12:18
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> 
> Added `strict-method-invocation` attribute back to allow disable the
> Strict DMI mode. Also improved a bit how Strict DMI logic works, right
> now it's as follow:
> - <allowed-methods> / @AllowedMethods defined per action - Strict DMI
> works without switching it on but just for those actions (plus adding
> <global-allowed-methods/>)
> - Strict DMI enabled but no <allowed-methods> / @AllowedMethods are
> defined - Strict DMI works but only with <global-allowed-methods/>
> - Strict DMI disabled - call to any action method is allowed (Regex: .*)
> 
> Besides the above, each method defined in <action/>'s "method"
> attribute is automatically allowed, the same for method marked with
> @Action annotation.
> 
> Also added support to allow define allowed methods with regex, just
> use "regex:" prefix, ie.
> <global-allowed-methods>execute,input,cancel,regex:user([A-Z]*)</
> global-allowed-methods>
> 
> 
> Regards
> -- 
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> PS. docs will be updated as soone we get consensus on this PR
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
> For additional commands, e-mail: dev-h...@struts.apache.org
> 

This Email was scanned by Sophos Anti Virus

Reply via email to