Jan T. Kim wrote:
(2) Isn't encoding methods in action name suffixes like this a potential
security issue?
So, are wildcards useful for development but have to be expanded before
putting a system to production use?
The only security issue I'm aware of is if the developer exposes
unwanted behavior in an action by making methods public when they
shouldn't be. A web app should have a real security mechanism in place
anyway, making sure that only users with appropriate access rights are
able to execute actions (or whatever granularity is required).
Replacing the filename globbing like wildcard system with a complete
regular expression system would allow writing more precise rules, e.g.
one could write
<action name="^bleh(_((input)|(dummy)))?$" method="{2}" ...>
...
</action>
and be certain that the method attribute won't take any values other
than "input", "dummy", or the empty string (which then probably should
map to the execute method).
I'm sure we'd consider a patch, if such a matcher doesn't already
exist--but personally I'm not convinced of the utility, since it
basically means you'd then have two places to keep up to date: the
action class and its mapping (assuming XML configuration).
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org