I'd much rather annotate methods which can be called than specify them in XML.
Also, this doesn't pose much of a security risk in practice as it only applies to public, no-arg methods which return String in actions. Bob On 7/24/06, Ted Husted <[EMAIL PROTECTED]> wrote:
On 7/24/06, Don Brown <[EMAIL PROTECTED]> wrote: > The problem is that prefix allows anyone to specify the method to be called on > the action through the URL, any URL. I'd argue it is a security concern, so the > developer should have to work at explicitly allowing a method to be arbitrarily > called. Yes, since the action mapping allows you to specify a method explicitedly, the ! or method: URL syntax, decreases security without increasing functionality. Without wildcards, it simply reduces the number of action mappings. Even without the wildcard functionality, it should just be a matter of adding an action mapping for each alias. (Which is where we might start to find "extends" useful.) If all action methods were members of framework-specific Action classes, security might be less of a concern. But, since we allow POJO action classes, we should be more security conscious, and force developers to declare which methods can be action methods. -Ted. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
