Chris Nokleberg wrote:
Not quite. In an action there are two "sets" of parameters: initialization parameters and form parameters. From an action point of view they are equivalent however, since both are set through set* methods. If both are set the same way then there is a potential security problem if a user sets an init parameter through a form submission. I.e. a parameter which was supposed to be set through some initialization parameter is instead provided by the user. The way to get around that is to:I don't understand this logic. A property default is a default for form parameters, obviously it can change. If you want to fix the value for a particular mapping, you add it to actions.xml.
1) Set form parameters first and init parameters later. However, this makes it impossible to use the init parameters during the prepare() step, which is where they would be perhaps most useful.
2) Require that all init parameters are set in xwork.xml. Even if the default is ok, the value must be provided again, or else there is a security hole.
Both of these two issues go away if init-parameters are provided through the context, or similar, i.e. not by calling set* methods in the action.
The argument that it will hurt performance is really misleading
IMHO. You're assuming a certain implementation.
Sure, I'm assuming reflection. Is there any other way to do it?
For one thing, since the parameters and values and destination classes are known ahead of time, you can pre-convert all of the values. etc., etc.
That's certainly possible, and would remove some of the overhead. The other issues still remain. /Rickard -- Rickard Öberg [EMAIL PROTECTED] Senselogic Got blog? I do. http://dreambean.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
