I noticed in Struts 1.3 there is a DispatchChainAction, and the parameter attribute specifies the name of the chain to execute. Would somebody consider that a security hole? It seems like anyone could arbitrarily execute any chain command in the entire Struts app if they knew it -- unlike a normal DispatchAction whose parameter is only relevant for that Action class.
Also, I hope there will be a MappingDispatchChainAction too. The MappingDispatchAction is, in my opinion, the absolute best feature of Struts 1.2 and secures the internals of the app better (i.e., not exposing method names to the world). However, it seems that it would be impossible to implement (currently) since the parameter attribute is already in use for the chain command.
I just got back from a few days away. In all the mail, I may have missed further discussion on this -- in fact, I kind of thought I'd replied to it before!
I think the dispatch chain action is flawed now that it takes two values to really look up a command to execute (the command name and the chain name). I think it would make sense to derive a single string syntax which joins these two values, but that doesn't solve the security problem in any way.
I also think the base DispatchAction should not be furthered; instead, we should simply add a chain command which reads catalog/command values from the ActionMapping and does the same work. I'll bring this up on the dev list soon.
I agree that it would be nice to have some internal method dispatch in a command. We use that style extensively at my day job. I wonder if it's worth adding support for that in the chain package itself?
Joe
--
Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Narrow minds are weapons made for mass destruction" -The Ex
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
