Jason Carreira wrote:
I agree. There are a couple of things one can do here. First of all, read-only actions should (IMHO) be invoked from WITHIN a page either using an <action> tag (in JSP) or by using an include. That way the URL doesn't reveal that WebWork is being used. The ServletDispatcher could then be changed so that it only allows invocation through includes. This alone would make a lot of security issues go away.Along this line, I've mentioned before that one of the top requirements I've got for a framework, and we're hopefully going to be switching to a new (better) framework in the next few months, is the ability to use J2EE declarative security to secure paths. This means that the way actions are invoked needs to be rethought. Currently, there's no way to keep people from executing your actions without creating a separate J2EE declarative security entry for each action (and each alias, etc). This is, IMHO, a HUGE drawback.
Then the issue of read/write actions remain, which usually is of the form "execute action, redirect to page depending on result". Here it might be interesting to look at the new Portlet API which does something like this: when a page is generated URL's are created and associated with actions (see http://www7b.boulder.ibm.com/wsdd/zones/portal/portlet/4.1api/org/apache/jetspeed/portlet/PortletURI.html). When the submit button of a form is clicked and the URL for the form has been associated with an action that action is then invoked before rendering the page. In this case it is thus the framework that triggers the execution of the read/write action. It's not possible to execute just by "knowing a URL". This in itself makes it easier to ensure that code that "does things" is not executed out of context or insecurely.
Since I'm personally ONLY going to be using WebWork/XWork through portlets it'd be neat if XWork right from the start conformed to this pattern. :-) Unfortunately the Portlet API draft has not been released yet due to license issues (BIG ANNOYED *SIGH* GOES HERE), but hopefully it'll be out soonish.
And on the component note IMHO Portlets is the right level of abstraction of components. I'd rather see XWork making it simple to do portlets than trying to do our own packaging structure to do (basically) the same thing.
/Rickard
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
