Yasser Zamani created WW-4751:
---------------------------------
Summary: Struts2 should know and consider config time class of
user's Actions
Key: WW-4751
URL: https://issues.apache.org/jira/browse/WW-4751
Project: Struts 2
Issue Type: Improvement
Reporter: Yasser Zamani
Priority: Minor
I see some issues like WW-4105 , WW-4694 and WW-4498 suffers lack of this
information i.e. config time class of user's action.
I also know future issues like below are possible or potential to occur when
Struts2 give Actions up to an object factory and, himself does not know any
more about Action's real class (i.e. when user set className to a bean name
inside his object factory):
* JSONResult will fail or will generate ugly json when the action is an AOPed
proxy. Because JSONResult tries to generate json from un-relevant information
like advices and etc.
* In a security point of view, someone may successfully change that action
proxy or aop information simply by calling that action submitting some named
parameters.
I know these are solvable by enforcing user to specify includes/excludes
parameters but more better and beauty approach is as below:
(proxied action) -> ... -> (some subclass of action) -> ... -> (*user config
time specified class*) -> ... -> (some superclass of action) -> ... ->
Struts2's ActionSupport -> ...
If we suppose the above as type hierarchy of the action, knowing *user config
time specified class*, Struts2 can exclude all sub-classes above this class and
all super classes under and including ActionSupport in all sensitive places to
avoid potential future issues.
What do you think? :)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
