8 messages in org.apache.struts.devRe: strict DMI| From | Sent On | Attachments |
|---|---|---|
| Andreas Sachs | Jan 3, 2012 2:50 pm | |
| John Lindal | Jan 3, 2012 3:42 pm | |
| Andreas Sachs | Jan 4, 2012 12:48 am | |
| John Lindal | Jan 4, 2012 11:13 am | |
| Andreas Sachs | Jan 4, 2012 11:59 am | |
| John Lindal | Jan 4, 2012 12:36 pm | |
| John Lindal | Jan 6, 2012 3:08 pm | |
| Andreas Sachs | Jan 9, 2012 2:45 pm |
| Subject: | Re: strict DMI | |
|---|---|---|
| From: | John Lindal (supp...@newplanetsoftware.com) | |
| Date: | Jan 4, 2012 11:13:17 am | |
| List: | org.apache.struts.dev | |
Actually, the wiki did mention that "method" is in addition to allowed- methods. I have updated it to make it clearer and also explain that since wildcards are specified in the "method", this is not blocked by allowed-methods. I also added a note about allowed-methods without strict-method-invocation. (They are independent.)
Thanks for the feedback.
John
On Jan 4, 2012, at 12:49 AM, Andreas Sachs wrote:
According to the documentation: In Struts 2.3, an option was added to restrict the methods that DMI can invoke. First, set the attribute strict-method-invocation="true" on your <package> element. Then specify <allowed-methods> as a comma- separated list of method names in your <action>. A request for any other method will be rejected. (If you specify a method attribute for your action, you do not need to list it in <allowed-methods>.)
It's not defined what will happen if a method attribute for the action is specified (wildcard or not) and <allowed-methods> is also specified.
Can you make the documentation of <allowed-methods> and strict- method-invocation more clear?
What does strict-method-invocation mean: set to true: -method attribute must be specified or allowed-methods must be defined?
set to false: -method attribute need not be specified and allowed-methods need not be defined. But what will happen if i add allowed-methods? (is the invocation limited to these methods?)
What does <allowed-methods> mean: If a method attribute and allowed-methods is specified, will allowed-methods be respected (this makes only sense if the method attribute contains a wildcard)?
From my point of view <allowed-methods> should be treated independently of strict-method-invocation:
allowed_method: if specified, it should be respected, even if strict- method-invocation is turned off. strict-method-invocation: if turned on, methods must be specified (by method-attribute or allowed_method)
Thanks Andi
-------- Original-Nachricht --------
Datum: Tue, 3 Jan 2012 15:42:50 -0800 Von: John Lindal <supp...@newplanetsoftware.com> An: "Struts Developers List" <de...@struts.apache.org> Betreff: Re: strict DMI
I think the <allowed-methods> tag inside an <action> controls both.
John
On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
Hi, i like the idea of strict-method-invocation="true" and the possibility to define the allowed methods. I'm just wondering why this is only implemented for DMI and not for wildcard method invocation. Are there any reasons for this?
Thanks Andi
-- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
-- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone