Hi, At the moment almost all of my CRUD operations are performed (through service calls) within LookupDispatchAction files; is this considered good practice within Struts?
I've noticed that by using LookupDispatchAction files the user has the ability to save a page offline, modify the nameof the submit button, and then gain access to other CRUD operations that are contained within the same Java file. Obviously this has serious security implications. Using the same principle it is also possible for a user to add an additional field to a form, so if BeanUtils.copyProperties is called (depending on how the db call is structured) the user may be able to update restricted values. Is it possible to safeguard the application from users exploting this behaviour whilst still using a LookupDispatchAction? I know I could put a isUserInRole at the start of every CRUD operation, however that sounds very messy and would means that the role attribute on the action is pointless. Tim Christopher --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
