Re: [GitHub] struts pull request: WW-4540: Strict DMI

If there be no objections I would like to merge this PR and push a new BETA today 2015-09-26 9:57 GMT+02:00 Lukasz Lenart : > 2015-09-25 16:04 GMT+02:00 Christoph Nenning : >> Well, I don't think it is necessary to check parent packages at

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> > Well, I don't think it is necessary to check parent packages at all. > > Because strictDMI is a primitive boolean and cannot be null. So each > > package has it explicitly configured, inheriting it is not required. > > PackageConfig.isStrictMethodInvocation() should just return that value. >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-28 13:11 GMT+02:00 Christoph Nenning : >> > What does the current implementation do? >> > if strictDMI is set to false it returns false. >> > if it is set to true parent packages are checked. if it is true in one >> > parent true is returned. >> > otherwise

Re: [GitHub] struts pull request: WW-4540: Strict DMI

+1 Johannes # web: http://www.jgeppert.com twitter: http://twitter.com/jogep 2015-09-28 9:50 GMT+02:00 Lukasz Lenart : > If there be no objections I would like to merge this PR and push a new > BETA today > > 2015-09-26

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-25 16:04 GMT+02:00 Christoph Nenning : > Well, I don't think it is necessary to check parent packages at all. > Because strictDMI is a primitive boolean and cannot be null. So each > package has it explicitly configured, inheriting it is not required. >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-23 16:22 GMT+02:00 Christoph Nenning : > But actually it currently does not behave as I would expect it. Due to > PackageConfig.isStrictMethodInvocation(). It checks parent packages first > which are usually preconfigured packages from s2 jars. If an

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> > But actually it currently does not behave as I would expect it. Due to > > PackageConfig.isStrictMethodInvocation(). It checks parent packages first > > which are usually preconfigured packages from s2 jars. If an application > > package wants do disable strict-DMI it cannot extend a

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> >> From: Greg Huber <gregh3...@gmail.com> > >> To: Struts Developers List <dev@struts.apache.org>, > >> Date: 17.09.2015 09:37 > >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > >> > >> I was testing using: >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-23 15:46 GMT+02:00 Christoph Nenning : > I was wondering why the method was not blocked in Greg's sample. I tried > to reproduce his case based on Łukasz' sample app. But no luck. > > With the framework never invoked the action > specified there. It was

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> >> There is just one issue left: Setting strict-method-invocation="false" > >> affects only actions configured in XML. When PackageConfig is created by > >> XmlConfigurationProvider that field is set but > >> PackageBasedActionConfigBuilder from convention-plugin does not set it. > >> > >>

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> > I was wondering why the method was not blocked in Greg's sample. I tried > > to reproduce his case based on Łukasz' sample app. But no luck. > > > > With the framework never invoked the action > > specified there. It was always the form-action and it's execute() method. > > You must enable

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-22 13:52 GMT+02:00 Christoph Nenning : > OK, got it working. The issue was that I had different version of s2 jars > at runtime. I should learn to use my tools properly ;) Great! > @AllowedMethods does what I want it to do, thanks Łukasz! My pleasure :) >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 23.09.2015 08:20 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > 2015-09-22 14:05 GMT+02:00 Christoph Nenning <christoph.n

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-23 8:27 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> From: Lukasz Lenart <lukaszlen...@apache.org> >> To: Struts Developers List <dev@struts.apache.org>, >> Date: 23.09.2015 08:20 >> Subject: Re: [GitHub] struts pull request:

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-22 14:16 GMT+02:00 Christoph Nenning <christoph.nenn...@lex-com.net>: >> From: Greg Huber <gregh3...@gmail.com> >> To: Struts Developers List <dev@struts.apache.org>, >> Date: 17.09.2015 09:37 >> Subject: Re: [GitHub] struts pull request: WW-

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-22 14:05 GMT+02:00 Christoph Nenning : > Ok, but this is something that you as a developer did, so you did that on purpose, you had a special requirement so it's up to you to configure Struts to allow such action name. But maybe I am wrong and this is ok,

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-23 8:17 GMT+02:00 Lukasz Lenart : >> There is just one issue left: Setting strict-method-invocation="false" >> affects only actions configured in XML. When PackageConfig is created by >> XmlConfigurationProvider that field is set but >>

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 17.09.2015 08:25 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > Great, thanks for testing it! > > 2015-09-16 16:26 GMT+02:0

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 15.09.2015 09:11 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > I have extended the list of default 'global-allowed-methods' b

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Greg Huber <gregh3...@gmail.com> > To: Struts Developers List <dev@struts.apache.org>, > Date: 17.09.2015 09:37 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > I was testing using: > > > > and it returned the value i

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Greg Huber <gregh3...@gmail.com> > To: Struts Developers List <dev@struts.apache.org>, > Date: 17.09.2015 09:37 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > I was testing using: > > > > and it returned the value in the

Re: [GitHub] struts pull request: WW-4540: Strict DMI

For my form bean, getBean().getName(); edit!getBean().getName For me it shows an exception with the bean Name field value, would a combination of all public methods in the package and then on sensitive actions like login/payments etc use the action to restrict to allowed methods only? [

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-17 9:11 GMT+02:00 Greg Huber : > For my form bean, getBean().getName(); > > > edit!getBean().getName > > > For me it shows an exception with the bean Name field value, would a > combination of all public methods in the package and then on sensitive > actions like

Re: [GitHub] struts pull request: WW-4540: Strict DMI

I was testing using: and it returned the value in the name field on the bean. public class EventEdit extends EventBase { private EventBean bean = null; /** * Gets the bean. * * @return the bean */ public EventBean getBean() { return bean; } }

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Great, thanks for testing it! 2015-09-16 16:26 GMT+02:00 Christoph Nenning : > Finally I had some time to play with strict DMI again. Here some findings > and thoughts: > > > - I realized that in current master branch strict DMI has no effect when > actions are not

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-17 9:37 GMT+02:00 Greg Huber : > I was testing using: > > > > and it returned the value in the name field on the bean. > > public class EventEdit extends EventBase { > > private EventBean bean = null; > > /** > * Gets the bean. > * > * @return

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-16 9:12 GMT+02:00 Greg Huber : > Hm, getAString(), would it return anything? I will do a check to see what > happens. It will return a String which is then interpreted as a result name but if you are in devMode you will get the developer notification that the such

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Hm, getAString(), would it return anything? I will do a check to see what happens. On 16 September 2015 at 07:56, Lukasz Lenart wrote: > 2015-09-16 8:51 GMT+02:00 Greg Huber : > > Restricting to public methods on the action class/package would be

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Restricting to public methods on the action class/package would be more useful, may be less of an overhead? It would be inherited methods that could potentially cause the issues. On 15 September 2015 at 08:11, Lukasz Lenart wrote: > I have extended the list of default

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-16 8:51 GMT+02:00 Greg Huber : > Restricting to public methods on the action class/package would be more > useful, may be less of an overhead? It would be inherited methods that > could potentially cause the issues. Yes, I am planning something like that but it's

Re: [GitHub] struts pull request: WW-4540: Strict DMI

: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 04.09.2015 12:18 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > Added `strict-method-invocation` attribute back to allow disable the > Strict

Re: [GitHub] struts pull request: WW-4540: Strict DMI

I have extended the list of default 'global-allowed-methods' but I am wondering if support for 'package-allowed-methods' is needed? 'global-allowed-methods' are inherited from package to package where 'package-allowed-methods' wouldn't be. WDYT? This can always be added later. 2015-09-04 12:25

Re: [GitHub] struts pull request: WW-4540: Strict DMI

I have updated PR description with more detailed info https://github.com/apache/struts/pull/47 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Added `strict-method-invocation` attribute back to allow disable the Strict DMI mode. Also improved a bit how Strict DMI logic works, right now it's as follow: - / @AllowedMethods defined per action - Strict DMI works without switching it on but just for those actions (plus adding ) - Strict DMI

Re: [GitHub] struts pull request: WW-4540: Strict DMI

per would this be on the action element in the struts.xml? Have you an example of the config? On 2 September 2015 at 10:54, Lukasz Lenart wrote: > 2015-09-02 10:18 GMT+02:00 Christoph Nenning < > christoph.nenn...@lex-com.net>: > > In my apps I would not need to use

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-03 9:13 GMT+02:00 Greg Huber : > per would this be on the action element in the > struts.xml? > > Have you an example of the config? Action level support is already available (for some time)

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Probably the config to go with are there any docs on the for the ? Cheers Greg On 3 September 2015 at 08:21, Lukasz Lenart wrote: > 2015-09-03 9:13 GMT+02:00 Greg Huber : > > per would this be on the action element in > the > >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-03 10:45 GMT+02:00 Greg Huber : > Probably the config to go with > > are there any docs on the > > for the ? Not yet Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Support to configure via annotation was added. You can use @AllowedMethods per class or per Java package with package-info.java, ie: @org.apache.struts2.convention.annotation.AllowedMethods("home,start") package org.apache.struts2.convention.actions.allowedmethods; or @AllowedMethods("end")

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Probably a good idea to be strict, but I have lots of methods, only use DMI, so it may get to be a very long element. Maybe I could prefix all my required methods with something, ie with allowedPublish() allowedPublishNow() etc and use : regex:allowed(([A-Z]?)([a-z]+)?) I previously added a

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Maybe public methods and by package name? mypackage.com regex:(([A-Z]?)([a-z]+)?) On 2 September 2015 at 08:09, Lukasz Lenart wrote: > 2015-09-01 12:41 GMT+02:00 Greg Huber : > > The same way interceptors are configured, something like: > > > >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

he.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 02.09.2015 09:08 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > 2015-09-01 12:41 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > > The same way interceptors are c

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-01 12:41 GMT+02:00 Greg Huber : > The same way interceptors are configured, something like: > > publish* > > public String publish() {..} > public String publishNow() {..} but maybe instead of such simple definition it'd be better to allow specify very strict regex,

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-02 10:18 GMT+02:00 Christoph Nenning : > In my apps I would not need to use any patterns. Just a list of methods, > different for each action, would be enough for me. per or per > What do you think about a config switch to enable/disable patterns for >

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-02 9:55 GMT+02:00 Greg Huber : > Probably a good idea to be strict, but I have lots of methods, only use > DMI, so it may get to be a very long element. > > Maybe I could prefix all my required methods with something, ie with > allowedPublish() allowedPublishNow() etc

Re: [GitHub] struts pull request: WW-4540: Strict DMI

2015-09-02 10:01 GMT+02:00 Greg Huber : > Maybe public methods and by package name? > > mypackage.com > regex:(([A-Z]?)([a-z]+)?) It will complicate few other things as evaluation of allowed methods happens on mapping, very early in processing Regards -- Łukasz + 48 606

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> > In my apps I would not need to use any patterns. Just a list of methods, > > different for each action, would be enough for me. > > per or per > That is great! Still looking forward to annotations, at least for actions :) > > What do you think about a config switch to

Re: [GitHub] struts pull request: WW-4540: Strict DMI

> From: Lukasz Lenart <lukaszlen...@apache.org> > To: Struts Developers List <dev@struts.apache.org>, > Date: 01.09.2015 08:19 > Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI > > I have enabled Strict DMI by default, right now configuration via

Re: [GitHub] struts pull request: WW-4540: Strict DMI

I have enabled Strict DMI by default, right now configuration via struts.xml is supported only but I'm going to add support for annotations as well. When it will be done I will push a new BETA Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2015-09-01 8:10 GMT+02:00 lukaszlenart

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Would these be regex style method names? On 1 September 2015 at 07:10, lukaszlenart wrote: > GitHub user lukaszlenart opened a pull request: > > https://github.com/apache/struts/pull/47 > > WW-4540: Strict DMI > > This PR enables `Strict DMI` be default (or

Re: [GitHub] struts pull request: WW-4540: Strict DMI

The same way interceptors are configured, something like: publish* public String publish() {..} public String publishNow() {..} On 1 September 2015 at 11:31, Lukasz Lenart wrote: > Right now it supports wildcard mappings actions' definitions [1] - I > mean when you

Re: [GitHub] struts pull request: WW-4540: Strict DMI

Right now it supports wildcard mappings actions' definitions [1] - I mean when you defined a method like method="do{2}" it's supported. If you need anything else please give me an example. [1] https://struts.apache.org/docs/wildcard-mappings.html 2015-09-01 12:23 GMT+02:00 Greg Huber