On 7/24/06, Don Brown <[EMAIL PROTECTED]> wrote:
The problem is that prefix allows anyone to specify the method to be called on the action through the URL, any URL. I'd argue it is a security concern, so the developer should have to work at explicitly allowing a method to be arbitrarily called.
Yes, since the action mapping allows you to specify a method explicitedly, the ! or method: URL syntax, decreases security without increasing functionality. Without wildcards, it simply reduces the number of action mappings. Even without the wildcard functionality, it should just be a matter of adding an action mapping for each alias. (Which is where we might start to find "extends" useful.) If all action methods were members of framework-specific Action classes, security might be less of a concern. But, since we allow POJO action classes, we should be more security conscious, and force developers to declare which methods can be action methods. -Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
