If there be no objections I would like to merge this PR and push a new
BETA today
2015-09-26 9:57 GMT+02:00 Lukasz Lenart :
> 2015-09-25 16:04 GMT+02:00 Christoph Nenning :
>> Well, I don't think it is necessary to check parent packages at
> > Well, I don't think it is necessary to check parent packages at all.
> > Because strictDMI is a primitive boolean and cannot be null. So each
> > package has it explicitly configured, inheriting it is not required.
> > PackageConfig.isStrictMethodInvocation() should just return that
value.
>
2015-09-28 13:11 GMT+02:00 Christoph Nenning :
>> > What does the current implementation do?
>> > if strictDMI is set to false it returns false.
>> > if it is set to true parent packages are checked. if it is true in one
>> > parent true is returned.
>> > otherwise
+1
Johannes
#
web: http://www.jgeppert.com
twitter: http://twitter.com/jogep
2015-09-28 9:50 GMT+02:00 Lukasz Lenart :
> If there be no objections I would like to merge this PR and push a new
> BETA today
>
> 2015-09-26
2015-09-25 16:04 GMT+02:00 Christoph Nenning :
> Well, I don't think it is necessary to check parent packages at all.
> Because strictDMI is a primitive boolean and cannot be null. So each
> package has it explicitly configured, inheriting it is not required.
>
2015-09-23 16:22 GMT+02:00 Christoph Nenning :
> But actually it currently does not behave as I would expect it. Due to
> PackageConfig.isStrictMethodInvocation(). It checks parent packages first
> which are usually preconfigured packages from s2 jars. If an
> > But actually it currently does not behave as I would expect it. Due to
> > PackageConfig.isStrictMethodInvocation(). It checks parent packages
first
> > which are usually preconfigured packages from s2 jars. If an
application
> > package wants do disable strict-DMI it cannot extend a
> >> From: Greg Huber <gregh3...@gmail.com>
> >> To: Struts Developers List <dev@struts.apache.org>,
> >> Date: 17.09.2015 09:37
> >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> >>
> >> I was testing using:
>
2015-09-23 15:46 GMT+02:00 Christoph Nenning :
> I was wondering why the method was not blocked in Greg's sample. I tried
> to reproduce his case based on Łukasz' sample app. But no luck.
>
> With the framework never invoked the action
> specified there. It was
> >> There is just one issue left: Setting
strict-method-invocation="false"
> >> affects only actions configured in XML. When PackageConfig is created
by
> >> XmlConfigurationProvider that field is set but
> >> PackageBasedActionConfigBuilder from convention-plugin does not set
it.
> >>
> >>
> > I was wondering why the method was not blocked in Greg's sample. I
tried
> > to reproduce his case based on Łukasz' sample app. But no luck.
> >
> > With the framework never invoked the action
> > specified there. It was always the form-action and it's execute()
method.
>
> You must enable
2015-09-22 13:52 GMT+02:00 Christoph Nenning :
> OK, got it working. The issue was that I had different version of s2 jars
> at runtime. I should learn to use my tools properly ;)
Great!
> @AllowedMethods does what I want it to do, thanks Łukasz!
My pleasure :)
>
> From: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 23.09.2015 08:20
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
<christoph.n
2015-09-23 8:27 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>:
>> From: Lukasz Lenart <lukaszlen...@apache.org>
>> To: Struts Developers List <dev@struts.apache.org>,
>> Date: 23.09.2015 08:20
>> Subject: Re: [GitHub] struts pull request:
2015-09-22 14:16 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>:
>> From: Greg Huber <gregh3...@gmail.com>
>> To: Struts Developers List <dev@struts.apache.org>,
>> Date: 17.09.2015 09:37
>> Subject: Re: [GitHub] struts pull request: WW-
2015-09-22 14:05 GMT+02:00 Christoph Nenning :
>
Ok, but this is something that you as a developer did, so you did that
on purpose, you had a special requirement so it's up to you to
configure Struts to allow such action name. But maybe I am wrong and
this is ok,
2015-09-23 8:17 GMT+02:00 Lukasz Lenart :
>> There is just one issue left: Setting strict-method-invocation="false"
>> affects only actions configured in XML. When PackageConfig is created by
>> XmlConfigurationProvider that field is set but
>>
> From: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 17.09.2015 08:25
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> Great, thanks for testing it!
>
> 2015-09-16 16:26 GMT+02:0
> From: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 15.09.2015 09:11
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have extended the list of default 'global-allowed-methods' b
> From: Greg Huber <gregh3...@gmail.com>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
>
>
> and it returned the value i
> From: Greg Huber <gregh3...@gmail.com>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
>
>
> and it returned the value in the
For my form bean, getBean().getName();
edit!getBean().getName
For me it shows an exception with the bean Name field value, would a
combination of all public methods in the package and then on sensitive
actions like login/payments etc use the action to restrict to allowed
methods only?
[
2015-09-17 9:11 GMT+02:00 Greg Huber :
> For my form bean, getBean().getName();
>
>
> edit!getBean().getName
>
>
> For me it shows an exception with the bean Name field value, would a
> combination of all public methods in the package and then on sensitive
> actions like
I was testing using:
and it returned the value in the name field on the bean.
public class EventEdit extends EventBase {
private EventBean bean = null;
/**
* Gets the bean.
*
* @return the bean
*/
public EventBean getBean() {
return bean;
}
}
Great, thanks for testing it!
2015-09-16 16:26 GMT+02:00 Christoph Nenning :
> Finally I had some time to play with strict DMI again. Here some findings
> and thoughts:
>
>
> - I realized that in current master branch strict DMI has no effect when
> actions are not
2015-09-17 9:37 GMT+02:00 Greg Huber :
> I was testing using:
>
>
>
> and it returned the value in the name field on the bean.
>
> public class EventEdit extends EventBase {
>
> private EventBean bean = null;
>
> /**
> * Gets the bean.
> *
> * @return
2015-09-16 9:12 GMT+02:00 Greg Huber :
> Hm, getAString(), would it return anything? I will do a check to see what
> happens.
It will return a String which is then interpreted as a result name but
if you are in devMode you will get the developer notification that the
such
Hm, getAString(), would it return anything? I will do a check to see what
happens.
On 16 September 2015 at 07:56, Lukasz Lenart
wrote:
> 2015-09-16 8:51 GMT+02:00 Greg Huber :
> > Restricting to public methods on the action class/package would be
Restricting to public methods on the action class/package would be more
useful, may be less of an overhead? It would be inherited methods that
could potentially cause the issues.
On 15 September 2015 at 08:11, Lukasz Lenart
wrote:
> I have extended the list of default
2015-09-16 8:51 GMT+02:00 Greg Huber :
> Restricting to public methods on the action class/package would be more
> useful, may be less of an overhead? It would be inherited methods that
> could potentially cause the issues.
Yes, I am planning something like that but it's
: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 04.09.2015 12:18
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> Added `strict-method-invocation` attribute back to allow disable the
> Strict
I have extended the list of default 'global-allowed-methods' but I am
wondering if support for 'package-allowed-methods' is needed?
'global-allowed-methods' are inherited from package to package where
'package-allowed-methods' wouldn't be. WDYT?
This can always be added later.
2015-09-04 12:25
I have updated PR description with more detailed info
https://github.com/apache/struts/pull/47
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For
Added `strict-method-invocation` attribute back to allow disable the
Strict DMI mode. Also improved a bit how Strict DMI logic works, right
now it's as follow:
- / @AllowedMethods defined per action - Strict DMI
works without switching it on but just for those actions (plus adding
)
- Strict DMI
per would this be on the action element in the
struts.xml?
Have you an example of the config?
On 2 September 2015 at 10:54, Lukasz Lenart wrote:
> 2015-09-02 10:18 GMT+02:00 Christoph Nenning <
> christoph.nenn...@lex-com.net>:
> > In my apps I would not need to use
2015-09-03 9:13 GMT+02:00 Greg Huber :
> per would this be on the action element in the
> struts.xml?
>
> Have you an example of the config?
Action level support is already available (for some time)
Probably the config to go with
are there any docs on the
for the ?
Cheers Greg
On 3 September 2015 at 08:21, Lukasz Lenart wrote:
> 2015-09-03 9:13 GMT+02:00 Greg Huber :
> > per would this be on the action element in
> the
> >
2015-09-03 10:45 GMT+02:00 Greg Huber :
> Probably the config to go with
>
> are there any docs on the
>
> for the ?
Not yet
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To
Support to configure via annotation was added. You
can use @AllowedMethods per class or per Java package with
package-info.java, ie:
@org.apache.struts2.convention.annotation.AllowedMethods("home,start")
package org.apache.struts2.convention.actions.allowedmethods;
or
@AllowedMethods("end")
Probably a good idea to be strict, but I have lots of methods, only use
DMI, so it may get to be a very long element.
Maybe I could prefix all my required methods with something, ie with
allowedPublish() allowedPublishNow() etc
and use :
regex:allowed(([A-Z]?)([a-z]+)?)
I previously added a
Maybe public methods and by package name?
mypackage.com
regex:(([A-Z]?)([a-z]+)?)
On 2 September 2015 at 08:09, Lukasz Lenart wrote:
> 2015-09-01 12:41 GMT+02:00 Greg Huber :
> > The same way interceptors are configured, something like:
> >
> >
he.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 02.09.2015 09:08
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> 2015-09-01 12:41 GMT+02:00 Greg Huber <gregh3...@gmail.com>:
> > The same way interceptors are c
2015-09-01 12:41 GMT+02:00 Greg Huber :
> The same way interceptors are configured, something like:
>
> publish*
>
> public String publish() {..}
> public String publishNow() {..}
but maybe instead of such simple definition it'd be better to allow
specify very strict regex,
2015-09-02 10:18 GMT+02:00 Christoph Nenning :
> In my apps I would not need to use any patterns. Just a list of methods,
> different for each action, would be enough for me.
per or per
> What do you think about a config switch to enable/disable patterns for
>
2015-09-02 9:55 GMT+02:00 Greg Huber :
> Probably a good idea to be strict, but I have lots of methods, only use
> DMI, so it may get to be a very long element.
>
> Maybe I could prefix all my required methods with something, ie with
> allowedPublish() allowedPublishNow() etc
2015-09-02 10:01 GMT+02:00 Greg Huber :
> Maybe public methods and by package name?
>
> mypackage.com
> regex:(([A-Z]?)([a-z]+)?)
It will complicate few other things as evaluation of allowed methods
happens on mapping, very early in processing
Regards
--
Łukasz
+ 48 606
> > In my apps I would not need to use any patterns. Just a list of
methods,
> > different for each action, would be enough for me.
>
> per or per
>
That is great! Still looking forward to annotations, at least for actions
:)
> > What do you think about a config switch to
> From: Lukasz Lenart <lukaszlen...@apache.org>
> To: Struts Developers List <dev@struts.apache.org>,
> Date: 01.09.2015 08:19
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have enabled Strict DMI by default, right now configuration via
I have enabled Strict DMI by default, right now configuration via
struts.xml is supported only but I'm going to add support for
annotations as well. When it will be done I will push a new BETA
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2015-09-01 8:10 GMT+02:00 lukaszlenart
Would these be regex style method names?
On 1 September 2015 at 07:10, lukaszlenart wrote:
> GitHub user lukaszlenart opened a pull request:
>
> https://github.com/apache/struts/pull/47
>
> WW-4540: Strict DMI
>
> This PR enables `Strict DMI` be default (or
The same way interceptors are configured, something like:
publish*
public String publish() {..}
public String publishNow() {..}
On 1 September 2015 at 11:31, Lukasz Lenart wrote:
> Right now it supports wildcard mappings actions' definitions [1] - I
> mean when you
Right now it supports wildcard mappings actions' definitions [1] - I
mean when you defined a method like method="do{2}" it's supported. If
you need anything else please give me an example.
[1] https://struts.apache.org/docs/wildcard-mappings.html
2015-09-01 12:23 GMT+02:00 Greg Huber
52 matches
Mail list logo