Chris Nokleberg wrote:
The point is to try and avoid .action URL's for mentioned reasons. Since we can filter calls to .jsp it's certainly doable.I don't understand why URLs need to have ".action" OR ".jsp". In my mind, direct requests to resources is okay for static files, but all action-related requests should flow through the action mappings.
Pretty much, yes. There's no real trouble with allowing .action invocations as before, but if it's possible to get them to go away it would be nice.*If* actions are always tied to a path (or paths), *and* there is a filter controller, then:a) Your URLs can be anything you want. b) You can use the same JSP as the view for multiple actions.
I think in the latest design there is a View factory chain whichI don't see any point in having a JSP View class as opposed to a generic "include a servlet" View class.
produces a View class, just like for actions. A ".jsp" view should
result in a JSP View class, which will just forward the request to a JSP
page via a RequestDispatcher.
But the security problem is not with pages really, but with actions. If the request is stopped at the View stage it's already too late: you may have executed code that the user was not allowed to execute.In servlet 2.3 (and by default in 2.4), a forward this way will *not* go through the filter chain again. This de-facto prevents against public requests to your jsp view pages--they can only be run by the controller.
/Rickard
--
Rickard Öberg
[EMAIL PROTECTED]
Senselogic
Got blog? I do. http://dreambean.com
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
