[GitHub] struts issue #133: WW-4105 Considers config time class in actions chain

Sun, 23 Apr 2017 09:41:14 -0700 

Github user yasserzamani commented on the issue:

    https://github.com/apache/struts/pull/133
  
    > Remember that issue that you've submitted to security list? All actions 
are affected. With this proposal bean attribute must be added to every action 
configuration in the application.
    
    If this proposal was made user forced to use `bean` attribute for every 
action, I myself was first person who rejects it. If you think so, then you are 
right to be worry.
    
    Yes I remember the issue which I submitted to security list. Maybe I 
misunderstood something but let count it:
    
    1. When action is not a bean, is not proxied, e.g. `<action 
class=me.yz.Action1"`: Then 
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns 
`me.yz.Action1` and my proposal behaves as current S2.
    2. When action is not a bean, but is proxied, e.g. `<action 
class=me.yz.Action1"` and `<aop:pointcut id=actionExecute 
expression=execution(String me.yz.Action1.execute())`: Same as (1) 
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns 
`me.yz.Action1` and my proposal behaves as current S2.
    3. When action is a bean, but is not proxied, e.g. `<action 
class=myAction1"` and `<bean name=myAction1 class=me.yz.Action1`:  Same as (1) 
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns 
`me.yz.Action1` and  my proposal behaves as current S2.
    4. AND When action is a bean, and is proxied, e.g. `<action 
class=myAction1"` and `<bean name=myAction1 class=me.yz.Action1` and 
`<aop:pointcut id=actionExecute expression=execution(String 
me.yz.Action1.execute())`: Here 
`objectfactory.getInstanceClass(actionCondif.getClassName())` returns something 
different than `me.yz.Action1` and my proposal warns user that runtime and 
config time class of the action are not same and recommends the usage of `bean` 
attribute i.e. rewrite config to `<action class=me.yz.Action1 bean=myAction1"`.
    
    So only number 4 needs protection and does not fail on not usage of `bean` 
and just warns a log. Did I missed something?
    
    Thanks for your time!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to