On Wed, 16 Mar 2005 15:53:35 -0600, Michael Rasmussen <[EMAIL PROTECTED]> wrote: > > > > I understand what you're suggesting, and on the face of it, it seems > > like a nice idea. However, I fear that including such a mechanism in > > Struts would lead to serious security vulnerabilities in some peoples' > > applications. This is because essentially *any* method on the POJO > > could end up being invoked accidentally or maliciously. We had an > > Isn't that only true if the form is getting its contract from the html > form rather than the VO? > > I am assuming the vulnerability is that someone could add a parameter > to their request url and inject the value into the form arbitrarily > calling a public "logMeIn()" method. > > If however you were to create the contract from the VO, the logMeIn > parameter will just be ignored. Is that incorrect? I'm asking > because I'm curious about the issue.
The problem is that you can't guarantee that the classes people use this with are true VOs. Just as some people attempt to equate form beans with business beans today, some people would attempt to generate the form beans from their business beans directly with this mechanism, thus unwittingly exposing all of their business logic methods in a way that they could potentially be invoked through an additional request parameter. -- Martin Cooper > > > issue like this with ActionForm some time ago, until someone pointed > > it out to us. > > > > -- > > Martin Cooper > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
