Sure, I agree with all of that. And I've said I'm opening to nailing this down more with conventions and/or annotations. I'm even open to a switch to turn it off.
What I'm not open to is just removing/deprecating it entirely without addressing the fact that it is _widely_ used in a ton of applications and, at least in my case, I continue to use it as I find it very useful and not a security risk one bit. Removing it would really cause issues for me, so I want us to explore other ways to address the security aspect besides just taking it out by default. The reason this is so important to me is that we, the Struts development team, need to, as responsible leaders for the Struts community, do our best to all try to recommend the same style of web development to the users. If I'm off using ! syntax and the ActionMapper from Able, and Jason has a technique that involves 4 or 5 interceptor stacks, and Don is using a single stack but 100% wildcards, we're sending a bad message to the community. So let's dig deep and get to a consensus on what we think the "right" way to recommend working with Struts is. > On 8/21/06, Don Brown <[EMAIL PROTECTED]> wrote: > > I know that the overriding concern is "security". > > Here's the thing. Regardless of what we think, there > are independant > security organizations that review security issues > for high profile > frameworks. If we don't control the bang with a > switch that defaults > to off, we are liable to get pinged for this. Struts > 1 was pinged for > the way we handled "cancel", and we had to come up > with a fix. I doubt > that trying to explain away a security risk by saying > "Altassian > doesn't think it's a problem" is going to result in > the security alert > being lowered. There is a also a fundamental ASF > principle that > "Security is a mandatory feature." > > Regardless of whether we end up saying using the ! > alias is > acceptable, or even preferred, we should retain the > switch that turns > it on, so that teams make an informed decision as to > its use. > > -Ted. > > ------------------------------------------------------ > --------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > --------------------------------------------------------------------- Posted via Jive Forums http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81539#81539 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
