> > I understand what you're suggesting, and on the face of it, it seems > like a nice idea. However, I fear that including such a mechanism in > Struts would lead to serious security vulnerabilities in some peoples' > applications. This is because essentially *any* method on the POJO > could end up being invoked accidentally or maliciously. We had an
Isn't that only true if the form is getting its contract from the html form rather than the VO? I am assuming the vulnerability is that someone could add a parameter to their request url and inject the value into the form arbitrarily calling a public "logMeIn()" method. If however you were to create the contract from the VO, the logMeIn parameter will just be ignored. Is that incorrect? I'm asking because I'm curious about the issue. > issue like this with ActionForm some time ago, until someone pointed > it out to us. > > -- > Martin Cooper > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
