Thank you. I'm surprised, that such the fundamental security issue isn't handled in struts. When I was learning php, turning the reqister_globals directive off was strongly recommended.
Mead Lai wrote: > > url=action?username=admin&password=blah > you means the GET way is too weakness and wanne avoid to use 'get' method? > > Get the request of context, and test the method, if it's post-method > handle > the process, if it's get-method, refuse the connection. > String method = ServletActionContext.getRequest().getMethod(); > But is awkward way. > > Although servlets has doPost and doGet method, it can't stop the > GET-Method > connection at all, so do struts2. > Any way, "Http" is not safe, 'post' is a little better than 'get'. > > > On Tue, Oct 28, 2008 at 11:25 AM, esemba <[EMAIL PROTECTED]> wrote: > >> >> Thank you for your reply. >> Well, yes, but it doesn't answer my question. I'm aware of this, but it >> specifies only the method the form uses. But when i call the targeted >> action >> directly e.g. from browser (and thus use GET method), the action will >> work >> as well. >> Thank you for your suggestions. >> >> >> >> >> >> Mead Lai wrote: >> > >> > . How can i write an action, that only serves GET / >> > POST requests. >> > >> > <s:form method ='post'></s:form> >> > or >> > <s:form method ='get'></s:form> >> > >> > >> > On Tue, Oct 28, 2008 at 11:09 AM, esemba <[EMAIL PROTECTED]> wrote: >> > >> >> >> >> I've a simple question. How can i write an action, that only serves >> GET >> / >> >> POST requests. Lets suppose I've an actions that authenticates users. >> In >> >> action there are fields username and password, which i set from a form >> >> via >> >> post http method. The action works the same as I request URL like >> >> myAction.action?username=admin&password=blah (the GET way). It is >> >> definitely >> >> a security weakness and reminds me php directive register_globals >> (which >> >> treats post/get variables the same way and in newer versions is >> >> deprectated, >> >> or even not present). Even in servlets there are methods like doPost, >> >> doGet, >> >> doXXX, so you can distinguish servlet's behavior for different types >> of >> >> requests. I'm pretty sure this has already been solved here, but >> search >> >> for >> >> keywords like "get post method problem" didn't return any reasonable >> >> threads. >> >> >> >> Thank you for your suggestions. >> >> -- >> >> View this message in context: >> >> >> http://www.nabble.com/-S2--actions-responding-only-to-POST-GET-methods-tp20200721p20200721.html >> >> Sent from the Struts - User mailing list archive at Nabble.com. >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> > >> > >> > -- >> > BestRegards, >> > Mead >> > http://yayisoft.com >> > >> > Quentin Crisp - "If at first you don't succeed, failure may be your >> > style." >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/-S2--actions-responding-only-to-POST-GET-methods-tp20200721p20200834.html >> Sent from the Struts - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > -- > BestRegards, > Mead > http://yayisoft.com > > George Carlin - "The other night I ate at a real nice family restaurant. > Every table had an argument going." > > -- View this message in context: http://www.nabble.com/-S2--actions-responding-only-to-POST-GET-methods-tp20200721p20206511.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
