> > I guess why I don't like this mentality is that we > > have these kinds of security holes all over the > > place. If you expose getters or setters that are > > unsafe in your action or _any_ of your model > objects, > > you can get that problem. The fact is that with > > dynamic reflection that is controlled by URL > > requests/params, you should consider anything > > remotely close to the Action or its object graph > to > > be considered unsafe until you've explicitly added > > your own security layer. > > > > To simply add this switch and give the impression > > that it is now safe would be very misleading. > > > > While I see your point that this one flag won't make > everything 100% secure, at least with getters and > setters, you know that's what they're designed to do. > You can also control the setting of properties from > the request params via the interceptor stack, > including filtering out params you don't want set. > You can't (currently) control the "!" notation and > what methods it can call. > > I'd say we need to group a bunch of security-related > settings in the config and let people choose, but I'd > agree with Ted that the more secure option should be > the default, especially if we're talking about > deprecating and removing the "!" notation in the > future.
First off: we're *not* deprecating and removing the ! notation at this point. That is what this discussion is entirely about. Why not disable getters and setters by default too and require people pull out the request parameters by hand until they switch the security flag? Obviously because it makes no sense. It is core to working with actions. And I'm here to argue fervidly that the pattern of URLs like "create!input" is way too common in my applications to just turn off by default without some longer discussion. My goal is to make sure that the leaders of Struts have their styles of web development represented in a common set of defaults - it would be a big mistake for Struts and a big loss to the community if I went off with my own ActionMapper and never looked back. I've put forward alternatives, such as a convention (doXxx) or annotation (@ActionMethod) to indicate that methods can be called. But I'm currently very far from convinced that turning off that switch by default is a good idea at all. I'd like for Ted to respond to my proposed alternatives. --------------------------------------------------------------------- Posted via Jive Forums http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82257#82257 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]