RE: [OS-webwork] Security concern: HTTP-POST / HTTP-GET seperation

Mon, 05 Jan 2004 10:46:28 -0800 

You can create your own Dispatcher if you want to distinguish, or
implement it as an Interceptor (it's really easy, and if you put it in
your default interceptor stack, you don't have to refer to it again).

> -----Original Message-----
> From: Joris Verschoor [mailto:[EMAIL PROTECTED] 
> Sent: Monday, January 05, 2004 9:23 AM
> To: [EMAIL PROTECTED]
> Subject: [OS-webwork] Security concern: HTTP-POST / HTTP-GET 
> seperation
> 
> 
> Hello,
> 
> I'm creating+converting an app with ww2, but this applies to 
> almost all 
> frameworks.
> 
> People don't seem to care about the difference between a http GET and 
> POST. Almost everybody just puts their code in performAction() or 
> execute(), without checking the request method. This is also done in 
> most sample code.
> 
> If you don't do this somebody could enter an administrator 
> link / image 
> on a forum / comment / whatever that can modify / delete 
> data, or change 
> passwords.
> 
> In my own framework, I called doPost() and doGet() just like in 
> servlets. Only doing dataretrievement and cachable things in 
> doGet. Any 
> action that will cause a db modification is done in doPost(); 
> I'm converting to webwork, because I really like the 
> simplicity of it. I needed the same kind of functionality, so 
> I created a simple 
> isPosted() method to check it, but this also ties me to the 
> web. I don't 
> really care, but a lot of people do.
> I was thinking about creating an interceptor, but it seemed to much 
> trouble.. I don't like xml files for this.
> 
> 
> I was wondering how you solve this, if you even thought about 
> it at all.
> 
> 
> Joris
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's Free Linux Tutorials.  Learn everything from the 
> bash shell to sys admin. Click now! 
> http://ads.osdn.com/?ad_id=1278&alloc_id=3371> &op=click
> 
> _______________________________________________
> 
> Opensymphony-webwork mailing list 
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to