At 5:53 PM +0100 1/23/06, Nicolas De Loof wrote:
From what I've understood from your
"mapping-declarated cancel parameter", it
require every cancelable mapping to declare it's
cancel param, so it is supposed that the action
correctly handles canceled request.
In this case, changing cancel key has no effect
on security, as canceling is correctly handled !
You may just add a boolean property
"accept-cancel" and make it required for struts
cancel mecanism to be used.
This would work about as well, but I thought that
making the parameter configurable might appeal to
the paranoid.
That said, it would also be a lot more work to
implement that way and still support the
"html:cancel" tag, so I think i'd opt for Nico's
variant.
Joe
Nico.
Frank W. Zammetti a écrit :
Joe, I think Rick is correct, I too do not see how this will solve the
problem.
Recall that the way it works today, you can bypass validate() being fired
for *any* Action, not just those which are designed to handle a cancel
button. This is where the problem arises... depending on what is done in
validate() (whether we as architects find it appropriate or not) can cause
problems in execute() and beyond, potentially security problems.
Of course, perhaps Rick and I are *both* not seeing it :)
This message contains information that may be
privileged or confidential and is the property
of the Capgemini Group. It is intended only for
the person to whom it is addressed. If you are
not the intended recipient, you are not
authorized to read, print, retain, copy,
disseminate, distribute, or use this message or
any part thereof. If you receive this message
in error, please notify the sender immediately
and delete all copies of this message.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Joe Germuska
[EMAIL PROTECTED] * http://blog.germuska.com
"You really can't burn anything out by trying something new, and
even if you can burn it out, it can be fixed. Try something new."
-- Robert Moog
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]