8 messages in org.apache.struts.devRe: strict DMI| From | Sent On | Attachments |
|---|---|---|
| Andreas Sachs | Jan 3, 2012 2:50 pm | |
| John Lindal | Jan 3, 2012 3:42 pm | |
| Andreas Sachs | Jan 4, 2012 12:48 am | |
| John Lindal | Jan 4, 2012 11:13 am | |
| Andreas Sachs | Jan 4, 2012 11:59 am | |
| John Lindal | Jan 4, 2012 12:36 pm | |
| John Lindal | Jan 6, 2012 3:08 pm | |
| Andreas Sachs | Jan 9, 2012 2:45 pm |
| Subject: | Re: strict DMI | |
|---|---|---|
| From: | Andreas Sachs (andi...@gmx.de) | |
| Date: | Jan 4, 2012 12:48:39 am | |
| List: | org.apache.struts.dev | |
According to the documentation:
In Struts 2.3, an option was added to restrict the methods that DMI can invoke.
First, set the attribute strict-method-invocation="true" on your <package>
element. Then specify <allowed-methods> as a comma-separated list of method
names in your <action>. A request for any other method will be rejected. (If you
specify a method attribute for your action, you do not need to list it in
<allowed-methods>.)
It's not defined what will happen if a method attribute for the action is
specified (wildcard or not) and <allowed-methods> is also specified.
Can you make the documentation of <allowed-methods> and strict-method-invocation
more clear?
What does strict-method-invocation mean: set to true: -method attribute must be specified or allowed-methods must be defined?
set to false:
-method attribute need not be specified and allowed-methods need not be defined.
But what will happen if i add allowed-methods? (is the invocation limited to
these methods?)
What does <allowed-methods> mean:
If a method attribute and allowed-methods is specified, will allowed-methods be
respected (this makes only sense if the method attribute contains a wildcard)?
From my point of view <allowed-methods> should be treated independently of
strict-method-invocation:
allowed_method: if specified, it should be respected, even if
strict-method-invocation is turned off.
strict-method-invocation: if turned on, methods must be specified (by
method-attribute or allowed_method)
Thanks Andi
-------- Original-Nachricht --------
Datum: Tue, 3 Jan 2012 15:42:50 -0800 Von: John Lindal <supp...@newplanetsoftware.com> An: "Struts Developers List" <de...@struts.apache.org> Betreff: Re: strict DMI
I think the <allowed-methods> tag inside an <action> controls both.
John
On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
Hi, i like the idea of strict-method-invocation="true" and the possibility to define the allowed methods. I'm just wondering why this is only implemented for DMI and not for wildcard method invocation. Are there any reasons for this?
Thanks Andi
-- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
-- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone