Mike Kienenberger wrote the following on 9/17/2004 7:13 PM:
On the other hand, if you're just saying that you can encode your reflection dispatch name so that "/page&method=X" becomes "/a1b2c3d4e5.psc", you've just made the security more obscure. If someone figures out your encoding, they can still bypass it.
I still don't see how it becomes that much different. Take the two approaches (and correct me if I'm wrong, which I'm sure you will:):
In approach one will assume going straight to a regular Action:
"/fooBar.do"
I'm assuming you'll have this encoded to look unintelligible to the user and it will end up resolving to use the /someAction.do mapping in your PageStateCacheServlet.
In a dispatch approach you could have a URL that looked like
"/fooBar?dispatch=update"
I don't believe the above would be 'that' much more work to encode and decode?
I don't think dispatch actions should be done away with because of security concerns. Those not using any kind of encoding stuff, like you are Mike, still often claim the regular Action is more secure because you don't have a dispatch parameter signifying what you are going. This argument is weak though because using a regular Action you can tell what you are doing just as easily.
Couldn't most security concerns be checked when the user gets to the Action or by some filter? In other words, if someone mangles a URL to try to get to an update page when they should only be going to a view only page, you could always make sure to check the user has permission to get to that resource and kick them out if they don't.
After reverting back to using regular Actions I decided to go back to using regular DispatchActions. I think they help organize the code better. Like I mentioned in another post, I don't see people breaking up a FooBarDao into UpdateFooBarDao, CreateFooBarDao, classes.
I'm certainly not saying that using a Dispatch Action is that much better than breaking out the code into separate Actions, I'm just not seeing how the other side can claim the reverse though - That using regular Actions are much better. Possibly if it makes encoding much easier in some way, and that is an application requirement, than I could see how using regular Actions would be preferable in that instance.
You could also always just code your DispatchActions with the unspecified method and then have the flexiblity to add other methods later if they logically fit within that class.
-- Rick
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
