Github user yasserzamani commented on the issue:
https://github.com/apache/struts/pull/118
@aleksandr-m , as an example, consider when action proxified with another
technology like Spring and the user assumes that Struts2 only operates in it's
borders, but currently, Struts2 does not know his borders about the action
object e.g. it copies proxy information like advices when it chains actions, it
generates json data from them in JSONResult, it copies ActionSupport's data
when it chains which forced us to declare includes/excludes, In a security
point of view, someone may successfully change proxy information of the action
by an HTTP request with named parameters!
All of these can be avoided if Struts2 know *user desired config time class
of the action*. Struts2 knows this except when user gives actions up to any
object factory like Spring or any other custom object factory. in such
situation, Stuts2 looses information about config time class name of the
action. yes, Struts2 has the object, but there is no any clean way to check if
it's a proxy and unwrap it to target class!
So, by attribute `bean`, the user specifies object, and by attribute
`class`, specifies Struts2's borders i.e. Struts2 will exclude all subclasses
above `class` and all superclasses under and including ActionSupport. I defined
these as an improvement at
[WW-4751](https://issues.apache.org/jira/browse/WW-4751).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
