Thank you both for replying. It's much clearer now. I just wanted to forbid GET access to actions. I think it's completely legal request to be able explicitly deny access to actions like AuthenticateUser (no matter security, parameters, etc. now). I just don't want anyone to call such the actions from address bar, etc.. Now, i understand the issue better. In rare cases, i'll simply get the method and in GET case return ERROR code. Thank you both again.
hernan gonzalez wrote: > > Don is right. > No security issue here (and absolutely nothing to do with PHP's > register_globals). > I see little use in trying to discriminate between GET and POST in the > action side, > at least not in relation with security. > Of course, you should never use GET when submitting a password, but that's > a > privacy concern you (developer) just deal when writing your jsp. An > hypothetical > convolved user can always try to go the same url using a GET, passing > the parameters > in the query string. But that would be a dumb user rather than a malicious > one. > The action could deny the request if it is a GET, but that would be > little or no gain; > the harm the user can do (to himself; eg leaving his password in some > log) has already > been done. > > Hernán > > > On Tue, Oct 28, 2008 at 11:27 AM, Don Brown <[EMAIL PROTECTED]> > wrote: >> PHP's register_globals really has nothing to do with GET vs POST but >> rather with how it could be possible to inject variables into a script >> to compromise later evaulation. Since Java doesn't allow such dynamic >> variables, there is no equivalent. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/-S2--actions-responding-only-to-POST-GET-methods-tp20200721p20215043.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
