2015-09-17 9:37 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name" />
>
> and it returned the value in the name field on the bean.
>
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
> * Gets the bean.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
> ....
> }
>
> I though this was what we were trying to stop?
but this is something different, it happens on server side in tags,
it's your choice as a dev. Without Strict DMI, when DMI is enabled it
is possible to call any public method via bang operator "!" via url
like this:
http://localhost:8080/index!getPassword
and as a lot of people is still using this mechanism we want help them
be more secure :)
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
