Well, I suppose it wouldn't hurt to post it here. Some time ago (after the official 1.1 release) someone (sorry, I don't remember who) posted an issue to bugzilla about this.
Let's say your application is using dispatch action, and you have a link on a page that looks like this: http://www.myserver.com/myapp/customer.do?customer.id=4518003&action=viewDet ails®ion=sw In your action, you have a "viewDetails" method (IAW dispatch doco), but what if I changed that url to execute your "execute" method. This would cause your application to call itself recursively until (and this depends on your container) it blows up (figuratively speaking). This more or less fits with what I would call a "denial of service". So, how can I prevent this in my current app? I'm glad you asked ;) The simple fix is to override the execute method in your base action and check for which method will be called: ... ... String method = request.getParameter(mapping.getParameter()); if (method != null && ("execute".equals(method) || "perform".equals(method))){ throw new ServletException("Do not use 'execute' or 'perform' with DispatchAction"); } return super.execute(mapping, form, request, response); ... ... Hope that helps! -- James Mitchell Software Engineer / Open Source Evangelist EdgeTech, Inc. http://www.EdgeTechServices.net/ 678.910.8017 AIM: jmitchtx ----- Original Message ----- From: "Ravi Kulkarni" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, May 10, 2004 11:56 PM Subject: RE: BaseDispacthAction? > HI James, > > It would be great if you can share this information with all..... > > > Kulkarni. > > . -----Original Message----- > . From: James Mitchell [mailto:[EMAIL PROTECTED] > . Sent: Monday, May 10, 2004 5:15 PM > . To: Struts Users Mailing List > . Subject: Re: BaseDispacthAction? > . > . > . I'll send it to you directly. > . > . > . > . -- > . James Mitchell > . > . > . > . ----- Original Message ----- > . From: "Erez Efrati" <[EMAIL PROTECTED]> > . To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> > . Sent: Sunday, May 09, 2004 8:00 AM > . Subject: RE: BaseDispacthAction? > . > . > . > Hi James, could you please be more specific about this recursion bug? I > . > am using the 1.1 version so it would help.. > . > > . > Erez > . > > . > -----Original Message----- > . > From: James Mitchell [mailto:[EMAIL PROTECTED] > . > Sent: Friday, May 07, 2004 7:50 PM > . > To: 'Struts Users Mailing List' > . > Subject: RE: BaseDispacthAction? > . > > . > It should work just fine. > . > > . > - change your base action to extend DispatchAction > . > - in execute(), call preProcess(), super.execute(), then postProcess() > . > > . > ...assuming you've implemented your custom methods (e.g. search(), > . > save(), > . > whatever() ) and you understand how DispatchAction works, it should all > . > fall > . > into place and work fine. > . > > . > NOTE - DispatchAction has a pretty serious bug in the Struts 1.1 version > . > (potential recursive loop until the server spits out of memory > . > exceptions), > . > so you will want to use a later version or add a fix in your BaseAction. > . > Let me know if you need help with it. > . > > . > > . > -- > . > James Mitchell > . > Software Engineer / Open Source Evangelist > . > EdgeTech, Inc. > . > 678.910.8017 > . > AIM: jmitchtx > . > > . > > . > > -----Original Message----- > . > > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Gianluca > . > > Sent: Friday, May 07, 2004 8:55 AM > . > > To: [EMAIL PROTECTED] > . > > Subject: BaseDispacthAction? > . > > > . > > I've defined and I'm using a subclass of Action > . > > (my.package.BaseAction), in order to implement the Template > . > > design pattern, so I use this class instead of the Action > . > > class provided by STRUTS. The intended goal is that things > . > > that are common to all actions are performed here, such as > . > > logging and validation of the user's session, some > . > > postprocessing, etc. > . > > In that class I've declared the execute(..) method as final, > . > > so that no subclass can override it: > . > > > . > > public final ActionForward execute( > . > > ActionMapping mapping, > . > > ActionForm form, > . > > HttpServletRequest request, > . > > HttpServletResponse response) > . > > throws Exception { > . > > > . > > _log = Logger.getLogger(this.getClass()); > . > > if (_log.isDebugEnabled()) { > . > > _log.debug(someString); > . > > } > . > > > . > > try { > . > > // Check for precondition errors; fail if found > . > > if (preProcess(mapping,form,request,response)) { > . > > // Execute actual logic > . > > ActionForward forward = > . > > executeLogic(mapping,form,request,response); > . > > } > . > > // Some postprocessing... > . > > postProcess(mapping,form,request,response); > . > > > . > > return forward; > . > > > . > > } catch (SessionNotValidActionException se) { > . > > if (_log.isDebugEnabled()) { > . > > _log.debug("Session is not valid, > . > > redirecting to login."); > . > > } > . > > return mapping.findForward("login"); > . > > } catch (...) { > . > > ... > . > > } finally { > . > > ... > . > > } > . > > > . > > if (_log.isDebugEnabled()) { > . > > _log.debug("Leaving execute method."); > . > > } > . > > } > . > > > . > > and I provide the two methods - preProcess and postProcess - > . > > together with an abstract executeLogic method, and some other > . > > common helper needs into utility methods. > . > > > . > > But Actions classes are often too small, and this ruins the > . > > cohesiveness of the application. So I would like to start > . > > employing DispactchAction classes to group related actions. > . > > Do you have any suggestion on how to implement the above > . > > approach (template pattern) to extend DispatchAction, in > . > > order to define a BaseDispatchAction? > . > > > . > > Thanks, > . > > Gianluca > . > > > . > > > . > > --------------------------------------------------------------------- > . > > To unsubscribe, e-mail: [EMAIL PROTECTED] > . > > For additional commands, e-mail: [EMAIL PROTECTED] > . > > > . > > . > > . > > . > --------------------------------------------------------------------- > . > To unsubscribe, e-mail: [EMAIL PROTECTED] > . > For additional commands, e-mail: [EMAIL PROTECTED] > . > > . > > . > > . > --------------------------------------------------------------------- > . > To unsubscribe, e-mail: [EMAIL PROTECTED] > . > For additional commands, e-mail: [EMAIL PROTECTED] > . > > . > . > . > . --------------------------------------------------------------------- > . To unsubscribe, e-mail: [EMAIL PROTECTED] > . For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
