Github user asfgit closed the pull request at:
https://github.com/apache/struts/pull/47
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabl
t; > otherwise true is returned in anycase.
>> >
>> > IMHO it can be just a simple getter.
>>
>> You are right :) But I have some doubts, what if someone has a large
>> application with multiple packages? Right now it will have to disable
>> Stritc DMI in eac
s true in one
> > parent true is returned.
> > otherwise true is returned in anycase.
> >
> > IMHO it can be just a simple getter.
>
> You are right :) But I have some doubts, what if someone has a large
> application with multiple packages? Right now it will have
plementation do?
> >> if strictDMI is set to false it returns false.
> >> if it is set to true parent packages are checked. if it is true in one
> >> parent true is returned.
> >> otherwise true is returned in anycase.
> >>
> >> IMHO it can be just a sim
right :) But I have some doubts, what if someone has a large
> application with multiple packages? Right now it will have to disable
> Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
> in parent package (his own, not from Struts). But from other side we
> wa
se true is returned in anycase.
>
> IMHO it can be just a simple getter.
You are right :) But I have some doubts, what if someone has a large
application with multiple packages? Right now it will have to disable
Stritc DMI in each one, Strict DMI isn't inhertited so it can be done
in parent
> > But actually it currently does not behave as I would expect it. Due to
> > PackageConfig.isStrictMethodInvocation(). It checks parent packages
first
> > which are usually preconfigured packages from s2 jars. If an
application
> > package wants do disable stric
s do disable strict-DMI it cannot extend a framework package.
Ok, found a gut solution! Now Strict DMI is enabled by default but it
can be simple disabled by setting the attribute to false.
https://github.com/lukaszlenart/struts/commit/86afcbe611f7c3afda26e396cc4504d3c
if it was set in xml.
> >
> > Thanks, I will try to figure out if it is possible
>
> Done, disabling Strict DMI affects also Convention plugin
>
> https://github.com/lukaszlenart/struts/commit/
> b8381057190c3abebbc3a65c404fd5de5f2c6c52
>
>
Wow, did not exp
> > I was wondering why the method was not blocked in Greg's sample. I
tried
> > to reproduce his case based on Łukasz' sample app. But no luck.
> >
> > With the framework never invoked the action
> > specified there. It was always the form-action and it's execute()
method.
>
> You must enable
2015-09-23 15:46 GMT+02:00 Christoph Nenning :
> I was wondering why the method was not blocked in Greg's sample. I tried
> to reproduce his case based on Łukasz' sample app. But no luck.
>
> With the framework never invoked the action
> specified there. It was always the form-action and it's exec
> >> From: Greg Huber
> >> To: Struts Developers List ,
> >> Date: 17.09.2015 09:37
> >> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
> >>
> >> I was testing using:
> >>
> >> > />
> >>
>
t in xml.
>
> Thanks, I will try to figure out if it is possible
Done, disabling Strict DMI affects also Convention plugin
https://github.com/lukaszlenart/struts/commit/b8381057190c3abebbc3a65c404fd5de5f2c6c52
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
2015-09-23 8:27 GMT+02:00 Christoph Nenning :
>> From: Lukasz Lenart
>> To: Struts Developers List ,
>> Date: 23.09.2015 08:20
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
> :
>> &
2015-09-22 14:16 GMT+02:00 Christoph Nenning :
>> From: Greg Huber
>> To: Struts Developers List ,
>> Date: 17.09.2015 09:37
>> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>>
>> I was testing using:
>>
>> />
>>
>>
> From: Lukasz Lenart
> To: Struts Developers List ,
> Date: 23.09.2015 08:20
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> 2015-09-22 14:05 GMT+02:00 Christoph Nenning
:
> >
>
> Ok, but this is something that you as a developer did, so
2015-09-22 14:05 GMT+02:00 Christoph Nenning :
>
Ok, but this is something that you as a developer did, so you did that
on purpose, you had a special requirement so it's up to you to
configure Struts to allow such action name. But maybe I am wrong and
this is ok, that the such method was blocked?
2015-09-22 13:52 GMT+02:00 Christoph Nenning :
> OK, got it working. The issue was that I had different version of s2 jars
> at runtime. I should learn to use my tools properly ;)
Great!
> @AllowedMethods does what I want it to do, thanks Łukasz!
My pleasure :)
> There is just one issue left: S
> From: Greg Huber
> To: Struts Developers List ,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
>
>
> and it returned the value in the name field on the bean.
>
I don't know ho
> From: Greg Huber
> To: Struts Developers List ,
> Date: 17.09.2015 09:37
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I was testing using:
>
>
>
> and it returned the value in the name field on the bean.
>
I tested with:
And tha
> From: Lukasz Lenart
> To: Struts Developers List ,
> Date: 15.09.2015 09:11
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have extended the list of default 'global-allowed-methods' but I am
> wondering if support for 'package-a
> From: Lukasz Lenart
> To: Struts Developers List ,
> Date: 17.09.2015 08:25
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> Great, thanks for testing it!
>
> 2015-09-16 16:26 GMT+02:00 Christoph Nenning
:
> > Finally I had some time to pl
.
> *
> * @return the bean
> */
> public EventBean getBean() {
> return bean;
> }
>
> }
>
> I though this was what we were trying to stop?
but this is something different, it happens on server side in tags,
it's your choice as a dev. Wi
I was testing using:
and it returned the value in the name field on the bean.
public class EventEdit extends EventBase {
private EventBean bean = null;
/**
* Gets the bean.
*
* @return the bean
*/
public EventBean getBean() {
return bean;
}
}
2015-09-17 9:11 GMT+02:00 Greg Huber :
> For my form bean, getBean().getName();
>
>
> edit!getBean().getName
>
>
> For me it shows an exception with the bean Name field value, would a
> combination of all public methods in the package and then on sensitive
> actions like login/payments etc use the
For my form bean, getBean().getName();
edit!getBean().getName
For me it shows an exception with the bean Name field value, would a
combination of all public methods in the package and then on sensitive
actions like login/payments etc use the action to restrict to allowed
methods only?
[
edit!
Great, thanks for testing it!
2015-09-16 16:26 GMT+02:00 Christoph Nenning :
> Finally I had some time to play with strict DMI again. Here some findings
> and thoughts:
>
>
> - I realized that in current master branch strict DMI has no effect when
> actions are not configured
Finally I had some time to play with strict DMI again. Here some findings
and thoughts:
- I realized that in current master branch strict DMI has no effect when
actions are not configured in xml. I thought that would lead to no methods
being allowed.
- In strict-DMI branch it is same
2015-09-16 9:12 GMT+02:00 Greg Huber :
> Hm, getAString(), would it return anything? I will do a check to see what
> happens.
It will return a String which is then interpreted as a result name but
if you are in devMode you will get the developer notification that the
such result doesn't exist and
of an overhead? It would be inherited methods that
> > could potentially cause the issues.
>
> Yes, I am planning something like that but it's something different
> than Strict DMI. Also your solution allows access to getteers ie.
> some.action!getPassword
>
>
>
different
than Strict DMI. Also your solution allows access to getteers ie.
some.action!getPassword
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
Restricting to public methods on the action class/package would be more
useful, may be less of an overhead? It would be inherited methods that
could potentially cause the issues.
On 15 September 2015 at 08:11, Lukasz Lenart
wrote:
> I have extended the list of default 'global-allowed-methods' b
I have extended the list of default 'global-allowed-methods' but I am
wondering if support for 'package-allowed-methods' is needed?
'global-allowed-methods' are inherited from package to package where
'package-allowed-methods' wouldn't be. WDYT?
This can always be added later.
2015-09-04 12:25 GM
I have updated PR description with more detailed info
https://github.com/apache/struts/pull/47
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additio
Added `strict-method-invocation` attribute back to allow disable the
Strict DMI mode. Also improved a bit how Strict DMI logic works, right
now it's as follow:
- / @AllowedMethods defined per action - Strict DMI
works without switching it on but just for those actions (plus adding
)
- Stric
thods("end")
public class ClassLevelAllowedMethodsAction {
public String execute() { return null; }
}
2015-09-01 8:19 GMT+02:00 Lukasz Lenart :
> I have enabled Strict DMI by default, right now configuration via
> struts.xml is supported only but I'm going to add support for
2015-09-03 10:45 GMT+02:00 Greg Huber :
> Probably the config to go with
>
> are there any docs on the
>
> for the ?
Not yet
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
-
To unsubscribe, e-mail: dev-unsu
Probably the config to go with
are there any docs on the
for the ?
Cheers Greg
On 3 September 2015 at 08:21, Lukasz Lenart wrote:
> 2015-09-03 9:13 GMT+02:00 Greg Huber :
> > per would this be on the action element in
> the
> > struts.xml?
> >
> > Have you an example of the config?
>
2015-09-03 9:13 GMT+02:00 Greg Huber :
> per would this be on the action element in the
> struts.xml?
>
> Have you an example of the config?
Action level support is already available (for some time)
https://struts.apache.org/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocat
y patterns. Just a list of methods,
> > different for each action, would be enough for me.
>
> per or per
>
>
> > What do you think about a config switch to enable/disable patterns for
> > strict-dmi-method-names ?
>
> Originally there was such switch, disabled
t a config switch to enable/disable patterns for
> > strict-dmi-method-names ?
>
> Originally there was such switch, disabled by default. I can restore
> it back and set to true by default.
>
IMHO that makes sense as this whole thing is about security. And an
explicit whitelist of wh
2015-09-02 10:18 GMT+02:00 Christoph Nenning :
> In my apps I would not need to use any patterns. Just a list of methods,
> different for each action, would be enough for me.
per or per
> What do you think about a config switch to enable/disable patterns for
> strict-dmi-
2015-09-02 10:01 GMT+02:00 Greg Huber :
> Maybe public methods and by package name?
>
> mypackage.com
> regex:(([A-Z]?)([a-z]+)?)
It will complicate few other things as evaluation of allowed methods
happens on mapping, very early in processing
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenar
2015-09-02 9:55 GMT+02:00 Greg Huber :
> Probably a good idea to be strict, but I have lots of methods, only use
> DMI, so it may get to be a very long element.
>
> Maybe I could prefix all my required methods with something, ie with
> allowedPublish() allowedPublishNow() etc
>
> and use :
>
> rege
In my apps I would not need to use any patterns. Just a list of methods,
different for each action, would be enough for me.
What do you think about a config switch to enable/disable patterns for
strict-dmi-method-names ?
Reagards,
Christoph
> From: Lukasz Lenart
> To: Struts Deve
Maybe public methods and by package name?
mypackage.com
regex:(([A-Z]?)([a-z]+)?)
On 2 September 2015 at 08:09, Lukasz Lenart wrote:
> 2015-09-01 12:41 GMT+02:00 Greg Huber :
> > The same way interceptors are configured, something like:
> >
> > publish*
> >
> > public String publish() {..}
> >
Probably a good idea to be strict, but I have lots of methods, only use
DMI, so it may get to be a very long element.
Maybe I could prefix all my required methods with something, ie with
allowedPublish() allowedPublishNow() etc
and use :
regex:allowed(([A-Z]?)([a-z]+)?)
I previously added a sa
2015-09-01 12:41 GMT+02:00 Greg Huber :
> The same way interceptors are configured, something like:
>
> publish*
>
> public String publish() {..}
> public String publishNow() {..}
but maybe instead of such simple definition it'd be better to allow
specify very strict regex, ie:
regex:publish(([A-
> > On 1 September 2015 at 07:10, lukaszlenart wrote:
> >
> >> GitHub user lukaszlenart opened a pull request:
> >>
> >> https://github.com/apache/struts/pull/47
> >>
> >> WW-4540: Strict DMI
> >>
> >> This PR enables `
Greg Huber :
> Would these be regex style method names?
>
> On 1 September 2015 at 07:10, lukaszlenart wrote:
>
>> GitHub user lukaszlenart opened a pull request:
>>
>> https://github.com/apache/struts/pull/47
>>
>> WW-4540: Strict DMI
>>
&
Would these be regex style method names?
On 1 September 2015 at 07:10, lukaszlenart wrote:
> GitHub user lukaszlenart opened a pull request:
>
> https://github.com/apache/struts/pull/47
>
> WW-4540: Strict DMI
>
> This PR enables `Strict DMI` be default (
> From: Lukasz Lenart
> To: Struts Developers List ,
> Date: 01.09.2015 08:19
> Subject: Re: [GitHub] struts pull request: WW-4540: Strict DMI
>
> I have enabled Strict DMI by default, right now configuration via
> struts.xml is supported only but I'm going to add su
I have enabled Strict DMI by default, right now configuration via
struts.xml is supported only but I'm going to add support for
annotations as well. When it will be done I will push a new BETA
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2015-09-01 8:10 GMT+02:00 lukaszl
GitHub user lukaszlenart opened a pull request:
https://github.com/apache/struts/pull/47
WW-4540: Strict DMI
This PR enables `Strict DMI` be default (or rather it's always enabled).
Thus will limit possible methods which can be called and executed as an action
me
If @Action is to be allowed at the method level, do its annotation's
attributes still make sense? I am not asking rhetorically. If not, it is
better to create a new annotation.
On Thu, Oct 10, 2013 at 9:21 AM, Ken McWilliams wrote:
> I didn't mean to say that "action:" didn't make any sense, whi
I didn't mean to say that "action:" didn't make any sense, which I agree it
doesn't; But that "method:" really isn't any different. The @Action
annotation can be applied at the method level of the action class. The
use-case for the method prefix seems to be completely addressed by using
the @Action
Ken,
I don't think "action:" will be supported beyond 2.5. It is a feature that
doesn't make sense. All buttons that belong to a form need to be processed
by the action of the form for security to work. That's what I think.
Paul
On Wed, Oct 9, 2013 at 5:58 PM, Ken McWilliams wrote:
> What am I
What am I missing? Why not just the @action annotation? The whole method
annotation seems to have risen out of a poor definition of "action". I
consider the action the entire follow of execution. From mapping to result
(Interceptors and the Action class too).
>From the DefaultActionMapper document
I think @ActionMethod or @Method is very handy. I'm still wondering
about how to map which actions are allowed to be used with "action:"
prefix - what about dropping "action:" prefix and stick only with
"method:" and "" ?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/10/4 St
I suggested this because I wrote an interceptor to require the
@ActionMethod annotation years ago to lock down DMI. The upside to a
separate annotation was that it was completely compatible with XML
configuration (which I use). It also had a nice benefit of being
documentation, as well. No ambiguit
I like that WAY better. Instead of using opaque strings in @Action, use
@ActionMethod on the destination methods. +1
On Fri, Oct 4, 2013 at 4:31 AM, Lukasz Lenart wrote:
> 2013/10/3 Steven Benitez :
> > Why not just have an @ActionMethod annotation? If its on the action
> method,
> > you can inv
2013/10/3 Steven Benitez :
> Why not just have an @ActionMethod annotation? If its on the action method,
> you can invoke it, if not, you can't. The global config option for allowed
> methods sounds reasonable (e.g., execute, input, etc.)
Nice idea and quite simple :-) What about "allowedActions"
orking on extending Strict DMI mode to be enabled by default -
> basically you won't be able to disable it. Thus means you will have to
> define "allowedActions" and "allowedMethods" globally or per action.
> There be no defaults (as for now) so if you don't d
Hi,
I'm working on extending Strict DMI mode to be enabled by default -
basically you won't be able to disable it. Thus means you will have to
define "allowedActions" and "allowedMethods" globally or per action.
There be no defaults (as for now) so if yo
I created one before you: 3735
I will write a comment, that it is a duplicate.
Thanks for the fix in 2.3.2
Andi
Original-Nachricht
> Datum: Fri, 6 Jan 2012 15:09:08 -0800
> Von: John Lindal
> An: "Struts Developers List"
> Betreff: Re: strict DMI
&g
I created a ticket for this: https://issues.apache.org/jira/browse/WW-3740
John
On Jan 4, 2012, at 12:00 PM, Andreas Sachs wrote:
Hi John,
thanks for the clarification.
But to come back to my original question:
Why is not available for wildcard method
invocation? Even you expected that it
The wildcard support is limited to *, since (Method1|Method2|Method3)
is actually a regex, not a wildcard.
I agree that allowed-methods ought to limit the wildcard matching.
Can you file a JIRA ticket for this?
Thanks,
John
On Jan 4, 2012, at 12:00 PM, Andreas Sachs wrote:
Hi John,
than
Hi John,
thanks for the clarification.
But to come back to my original question:
Why is not available for wildcard method invocation? Even you
expected that it is available (your first post).
Allowed-methods would be a good possibility to limit the wildcard to some
method names.
Or is there a
tion: if turned on, methods must be specified
(by method-attribute or allowed_method)
Thanks
Andi
Original-Nachricht
Datum: Tue, 3 Jan 2012 15:42:50 -0800
Von: John Lindal
An: "Struts Developers List"
Betreff: Re: strict DMI
I think the tag inside an controls bot
012 15:42:50 -0800
> Von: John Lindal
> An: "Struts Developers List"
> Betreff: Re: strict DMI
> I think the tag inside an controls both.
>
> John
>
> On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
>
> > Hi,
> > i like the idea of strict
I think the tag inside an controls both.
John
On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
Hi,
i like the idea of strict-method-invocation="true" and the
possibility to define the allowed methods. I'm just wondering why
this is only implemented for DMI and not for wildcard method
i
Hi,
i like the idea of strict-method-invocation="true" and the possibility to
define the allowed methods. I'm just wondering why this is only implemented for
DMI and not for wildcard method invocation.
Are there any reasons for this?
Thanks
Andi
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekan
72 matches
Mail list logo
