Hrm - no, this is thinking the wrong way mate :) If webwork defined paths, security would work perfectly right?
So why not have webwork only 'work' if the path is correct (and defined)? Ie /admin/foo.action would execute foo, but /bar/admin/foo.action would execute nothing. That way you keep .action, AND your security works fine? (And if you don't define paths - it works as it does now - principle of least surprise!) -mike On 3/1/03 6:05 AM, "Rickard Öberg" ([EMAIL PROTECTED]) penned the words: > Chris Miller wrote: >> Remind me again why .action causes problems with declaritive security? >> Surely the real problem is that Webwork currently doesn't care if an >> arbitrary path is specified in the URL. ie: >> http://www.me.com/abc123/admin/deleteUser.action is treated the same as >> http://www.me.com/admin/deleteUser.action - which makes it very messy to >> nail down in web.xml. > > That *is* the problem. And itt's not messy; it's impossible! No matter > how you construct your web.xml I can circumvent it by doing an arbitrary > path like so: > http://www.me.com/jkldsdfglkjglkdhgdklhg/asdasdasd/deleteUser.action > > If .action invocations are not allowed then it's possible to use > declarative security. Plus if execution of actions is only possible if a > URL has been previously associated with it during form creation, then > it's even safer. > > /Rickard ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
