> From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 17.09.2015 08:25 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > Great, thanks for testing it! > > 2015-09-16 16:26 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: > > Finally I had some time to play with strict DMI again. Here some findings > > and thoughts: > > > > > > - I realized that in current master branch strict DMI has no effect when > > actions are not configured in xml. I thought that would lead to no methods > > being allowed. > > > > - In strict-DMI branch it is same behavior. So I could not get the new > > annotation @AllowedMethods to have an effect. > > > > - When action is configured in xml without <allowed-methods> and annotated > > with @AllowedMethods there is just execute() available. > > > > - I could not find docs in wiki about the mechanism to invoke a method > > with a parameter name like "methd:<method-name>". But the feature got > > disabled along with DMI. So I think there should be info added to this > > page: http://struts.apache.org/docs/action-configuration.html > > > > > > > > Sample for first point (strict DMI has no effect with convention plugin) > > > > > > struts.xml: > > > > <package name="hello-pkg" namespace="/" extends="default" > > strict-method-invocation="true"> > > > > <!-- no action --> > > > > </package> > > <constant name="struts.convention.default.parent.package" value= > > "hello-pkg" /> > > > > > > > > Action: > > > > @Action("hello") > > public class HelloAction extends ActionSupport { > > > > // all methods can be invoked -> strict DMI has no effect > > // I would rather expect that just execute() is allowed in this case > > // and that more methods can be allowed with @AllowedMethods > > > > } > > It is only useful when DMI is enabled - some of the users still using > it. Also did you switch to DTD definition to 2.5? > > <constant name="struts.enable.DynamicMethodInvocation" value="true"/> > > then you can call url like this one: index.action!secure > > I have prepared a small demo app > https://github.com/lukaszlenart/struts2-convention > >
OK, got it working. The issue was that I had different version of s2 jars at runtime. I should learn to use my tools properly ;) @AllowedMethods does what I want it to do, thanks Łukasz! There is just one issue left: Setting strict-method-invocation="false" affects only actions configured in XML. When PackageConfig is created by XmlConfigurationProvider that field is set but PackageBasedActionConfigBuilder from convention-plugin does not set it. There could be 2 ways to solve this: - provide another package-level annotation @StrictMethodInvocation. - PackageBasedActionConfigBuilder could read existing PackageConfig to figure out if it was set in xml. I know I said just a few weeks ago that I would provide that flag. But seeing the current situation I would be OK to drop it. That would force users to be more secure :) But as there is global-allowed-methods people can be lazy. Regards, Christoph > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > This Email was scanned by Sophos Anti Virus
