|Subject:||Re: strict DMI|
|From:||John Lindal (supp...@newplanetsoftware.com)|
|Date:||Jan 4, 2012 11:13:17 am|
Actually, the wiki did mention that "method" is in addition to allowed- methods. I have updated it to make it clearer and also explain that since wildcards are specified in the "method", this is not blocked by allowed-methods. I also added a note about allowed-methods without strict-method-invocation. (They are independent.)
Thanks for the feedback.
On Jan 4, 2012, at 12:49 AM, Andreas Sachs wrote:
According to the documentation: In Struts 2.3, an option was added to restrict the methods that DMI can invoke. First, set the attribute strict-method-invocation="true" on your <package> element. Then specify <allowed-methods> as a comma- separated list of method names in your <action>. A request for any other method will be rejected. (If you specify a method attribute for your action, you do not need to list it in <allowed-methods>.)
It's not defined what will happen if a method attribute for the action is specified (wildcard or not) and <allowed-methods> is also specified.
Can you make the documentation of <allowed-methods> and strict- method-invocation more clear?
What does strict-method-invocation mean: set to true: -method attribute must be specified or allowed-methods must be defined?
set to false: -method attribute need not be specified and allowed-methods need not be defined. But what will happen if i add allowed-methods? (is the invocation limited to these methods?)
What does <allowed-methods> mean: If a method attribute and allowed-methods is specified, will allowed-methods be respected (this makes only sense if the method attribute contains a wildcard)?
From my point of view <allowed-methods> should be treated independently of strict-method-invocation:
allowed_method: if specified, it should be respected, even if strict- method-invocation is turned off. strict-method-invocation: if turned on, methods must be specified (by method-attribute or allowed_method)
-------- Original-Nachricht --------
I think the <allowed-methods> tag inside an <action> controls both.
On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
Hi, i like the idea of strict-method-invocation="true" and the possibility to define the allowed methods. I'm just wondering why this is only implemented for DMI and not for wildcard method invocation. Are there any reasons for this?
-- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
-- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone