2015-09-17 9:37 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" />
>
> and it returned the value in the name field on the bean.
>
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
>      * Gets the bean.
>      *
>      * @return the bean
>      */
>     public EventBean getBean() {
>         return bean;
>     }
> ....
> }
>
> I though this was what we were trying to stop?

but this is something different, it happens on server side in tags,
it's your choice as a dev. Without Strict DMI, when DMI is enabled it
is possible to call any public method via bang operator "!" via url
like this:

http://localhost:8080/index!getPassword

and as a lot of people is still using this mechanism we want help them
be more secure :)


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to