Frank, Good response. Let me add some to it:
The problem isn't that Struts allows the user to cancel an action, but that EVERY action can be cancelled. This problem is heavily felt by GET requests because URLs are easy to mangle... and parameters can be added ad-hoc. I can take any action I use for a GET, add the CANCEL parameter to it, and then bypass all the validation I worked very hard to code :-) I think this is an obvious bug: cancellations make sense during form driven input (or across many forms like a wizard), but cancelling with a link? Sure it could be useful but not in any applications I am dealing with. It's not so much a matter of finding a "cancel" forward. The problem is actions should control if they CAN be cancelled so their validation isn't bypassed. To me, this is a security concern and I think should be given a fix. Paul __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
