Jan T. Kim wrote:
(2) Isn't encoding methods in action name suffixes like this a potential
security issue?

So, are wildcards useful for development but have to be expanded before
putting a system to production use?

The only security issue I'm aware of is if the developer exposes unwanted behavior in an action by making methods public when they shouldn't be. A web app should have a real security mechanism in place anyway, making sure that only users with appropriate access rights are able to execute actions (or whatever granularity is required).

Replacing the filename globbing like wildcard system with a complete
regular expression system would allow writing more precise rules, e.g.
one could write

    <action name="^bleh(_((input)|(dummy)))?$" method="{2}" ...>
      ...
    </action>

and be certain that the method attribute won't take any values other
than "input", "dummy", or the empty string (which then probably should
map to the execute method).

I'm sure we'd consider a patch, if such a matcher doesn't already exist--but personally I'm not convinced of the utility, since it basically means you'd then have two places to keep up to date: the action class and its mapping (assuming XML configuration).

Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Reply via email to