PHP's register_globals really has nothing to do with GET vs POST but rather with how it could be possible to inject variables into a script to compromise later evaulation. Since Java doesn't allow such dynamic variables, there is no equivalent.
In addition, whether your action is executed via GET or POST has no practical security implication. If your code can be compromised by a GET, you are certainly just as vulnerable with a POST. GET and POST are just different HTTP methods with different parameter encoding schemes. Now, if you really want to, for whatever reason, restrict an action or a set of actions to one or more methods, a custom interceptor would be easy to write. You can access the current method via the ServletActionRequest.getRequest() object and decide to continue execution or abort with a 403 or whatever. Don On Tue, Oct 28, 2008 at 2:09 PM, esemba <[EMAIL PROTECTED]> wrote: > > I've a simple question. How can i write an action, that only serves GET / > POST requests. Lets suppose I've an actions that authenticates users. In > action there are fields username and password, which i set from a form via > post http method. The action works the same as I request URL like > myAction.action?username=admin&password=blah (the GET way). It is definitely > a security weakness and reminds me php directive register_globals (which > treats post/get variables the same way and in newer versions is deprectated, > or even not present). Even in servlets there are methods like doPost, doGet, > doXXX, so you can distinguish servlet's behavior for different types of > requests. I'm pretty sure this has already been solved here, but search for > keywords like "get post method problem" didn't return any reasonable > threads. > > Thank you for your suggestions. > -- > View this message in context: > http://www.nabble.com/-S2--actions-responding-only-to-POST-GET-methods-tp20200721p20200721.html > Sent from the Struts - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
