OK, I must be missing something here... I'm sure we discussed this previously and the only solid argument in support of the arbitrary paths was for skinning applications. I still can't see how the path/skinning functionality can be supported by having urls that end with .jsp instead of .action. Can you explain further (with an example perhaps) what you mean by "If .action invocations are not allowed then it's possible to use declarative security"? How does your approach allow web.xml to be configured to protect a path such as */admin/*?
"Rickard Öberg" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chris Miller wrote: > Remind me again why .action causes problems with declaritive security? > Surely the real problem is that Webwork currently doesn't care if an > arbitrary path is specified in the URL. ie: > http://www.me.com/abc123/admin/deleteUser.action is treated the same as > http://www.me.com/admin/deleteUser.action - which makes it very messy to > nail down in web.xml. That *is* the problem. And itt's not messy; it's impossible! No matter how you construct your web.xml I can circumvent it by doing an arbitrary path like so: http://www.me.com/jkldsdfglkjglkdhgdklhg/asdasdasd/deleteUser.action If .action invocations are not allowed then it's possible to use declarative security. Plus if execution of actions is only possible if a URL has been previously associated with it during form creation, then it's even safer. /Rickard -- Rickard Öberg [EMAIL PROTECTED] Senselogic Got blog? I do. http://dreambean.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
