I don't think it really matters.
Say you have a hidden field containing an id in your form that is posted back to an action. A user could copy that page to their hard disk, modify the field and then submit it. They would still be POSTing so your action would be happy. You still need to verify the id is ok, or user has permission to access that id.
If you had some reason to only allow POSTs then you might be able to check in the action, or I think you can do that with a security contraint in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>allow only POSTs</web-resource-name>
<url-pattern>/postonly/*.do</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>no-member-role</role-name>
</auth-constraint>
</security-constraint>This basically means if someone tries to use GET (eg a normal request to the action) they would have to be a member of the role 'no-member-role'. Since we won't have anyone in this role, nobody can use GET for these actions. All other methods are allowed.
-- Jason Lea
Bailey, Shane C. wrote:
I have worked with Struts at a few different companies now and I noticed none of them try
to do any checks to see that only POST methods can successfully make it to Actions
which handle forms submittals. Struts allows GETs and POSTs to make it to every Action
so it seems like this would be something to think about (or maybe not, that is one reason
I am asking).
So I guess I have a few questions then:
1. Shouldn't I worry about (and defend against) which request methods
types (GET, POST, etc.) can make it to which actions?
2. If so, does Struts have a built in mechanism like <action
path="/whatever" requestMethod="POST"> or if not 3. Should I be doing something like this at the top of my execute()
method:
if( ! "POST" == request.getMethod() ){ return mapping.findForward("failure"); } for Actions which should require a POST only
With #1 I mean should it matter if someone can go to the URL field in the browser and type in all the field / value pairs for a form
and hit enter (I am thinking it does matter) compared to HAVING to do a POST for it to succeed?
I am just thinking back to the Servlet programming days when you put the form submittal handling code in the doPost() and the
other code in the doGet() methods.
Any thoughts on this?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
