From what I've understood from your "mapping-declarated cancel parameter", it require every cancelable mapping to declare it's cancel param, so it is supposed that the action correctly handles canceled request.
In this case, changing cancel key has no effect on security, as canceling is correctly handled ! You may just add a boolean property "accept-cancel" and make it required for struts cancel mecanism to be used.
Nico. Frank W. Zammetti a écrit :
Joe, I think Rick is correct, I too do not see how this will solve the problem. Recall that the way it works today, you can bypass validate() being fired for *any* Action, not just those which are designed to handle a cancel button. This is where the problem arises... depending on what is done in validate() (whether we as architects find it appropriate or not) can cause problems in execute() and beyond, potentially security problems. Of course, perhaps Rick and I are *both* not seeing it :)
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
