I'd previously http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation blogged about the security vulnerability that exists when Struts dynamic method invocation is not disabled. I was happy to learn that this vulnerability was addressed in the 2.3.1 release.
However, after adding the strict-method-invocation="true" to my package statement a user of my example application is still able to execute any public method (for example getPassword) of the action class. I'm following the http://struts.apache.org/2.3.1/docs/action-configuration.html#ActionConfiguration-DynamicMethodInvocation instructions here that state to add strict-method-invocation="true" to the package statement to prevent dynamic method invocation from executing any method except the method specified in the method attribute of the action. You can download the example application from my http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation blog post to see how I tested the 2.3.1 release and dynamic method invocation. See the readme file in the download for instructions on how to build and deploy the example. Have I missed some additional configuration that must be done to prevent dynamic method invocation from allowing the user to execute methods besides the method specified in the action's method attribute? Thank you for the assistance. -- View this message in context: http://struts.1045723.n5.nabble.com/Dynamic-Method-Invocation-Changes-In-Struts-2-3-1-Release-tp5077597p5077597.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
