On 8/25/06, Ted Husted <[EMAIL PROTECTED]> wrote:
Agreed. But I want to start shipping tagged builds of the framework this weekend, and so we need to decide what to do right now, today.
-1 We have to put this in perspective. First, disabling by default doesn't address the "method:xxx" parameter convention anyway. Second, being able to set nested properties is a much bigger security risk, so much so that we disable it by default. A programmer could expose a setter in a bean without knowing it hangs off an action. We should solve both problems in a general fashion, probably with an @Public or @Published annotation. We should probably look to JSR 250 ( http://jcp.org/en/jsr/detail?id=250) for such an annotation. That way, nested objects don't have to depend on Struts. In the mean time, disabling this feature just provides a false sense of security. We should prominently document all these issues in a "Be Mindful of Security" section. Bob
