> From: Greg Huber <[email protected]>
> To: Struts Developers List <[email protected]>,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
> <s:submit value="%{getText('button.save')}" action="edit!getBean().name"
/>
>
> and it returned the value in the name field on the bean.
>
I tested with:
<s:hidden name="method:getBean().key" value="login" />
And that was blocked with this exception:
com.opensymphony.xwork2.config.ConfigurationException: This method:
getBean().key for action login is not allowed!
at com.opensymphony.xwork2.DefaultActionProxy.prepare(
DefaultActionProxy.java:200) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at org.apache.struts2.factory.StrutsActionProxy.prepare(
StrutsActionProxy.java:63) ~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
at
org.apache.struts2.factory.StrutsActionProxyFactory.createActionProxy(
StrutsActionProxyFactory.java:37)
~[struts2-core-2.5-SNAPSHOT.jar:2.5-SNAPSHOT]
.....
Regards,
Christoph
> public class EventEdit extends EventBase {
> ....
> private EventBean bean = null;
> ....
> /**
> * Gets the bean.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
> ....
> }
>
> I though this was what we were trying to stop?
>
>
> On 17 September 2015 at 08:27, Lukasz Lenart <[email protected]>
> wrote:
>
> > 2015-09-17 9:11 GMT+02:00 Greg Huber <[email protected]>:
> > > For my form bean, getBean().getName();
> > >
> > >
> > > edit!getBean().getName
> > >
> > >
> > > For me it shows an exception with the bean Name field value, would a
> > > combination of all public methods in the package and then on
sensitive
> > > actions like login/payments etc use the action to restrict to
allowed
> > > methods only?
> > >
> > > [
> > >
> > > edit!getBean().getName() ==
> > >
> > > 1. Encountered " ")" ") "" at line 1, column 21. Was expecting
one of:
> > > ":" ... "not" ... "+" ... "-" ... "~" ... "!" ... "(" ... "true"
...
> > > "false" ... "null" ... "#this" ... "#root" ... "#" ... "[" ...
"{"
> > ... "@"
> > > ... "new" ... <IDENT> ... <DYNAMIC_SUBSCRIPT> ... "\'" ... "`"
...
> > "\"" ...
> > > <INT_LITERAL> ... <FLT_LITERAL> ...
> > > 2. Malformed OGNL expression: getBean().getName()()
> > >
> > > edit!getBean().name ==
> > >
> > > *java.lang.NoSuchMethodException*
> > >
> > > Block set..() and get..()?
> > >
> > > ]
> >
> > Not sure what do you mean by that but DMI works only with top level
> > functions that returns a String, ie. edit!toString
> > It won't work with beans.
> >
> >
> > Regards
> > --
> > Ćukasz
> > + 48 606 323 122 http://www.lenart.org.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
> >
This Email was scanned by Sophos Anti Virus
