> ...unless you really want to take the security > exercise all the way, > i.e., secure each and every method via > container-managed security using > annotations (ideally) to configure what roles/users > can access what > methods, thereby taking the URI out of the equation > entirely... if you > aren't in an allowed role, you can't execute the > method, regardless of > what URI was used to request it. > > Might not be a bad feature actually, but seems like a > bit of overkill to > me :) >
I do this now, with Acegi and Spring. Not so much on actions, but on the Services they call. Let's not re-invent the wheel. RE: This being a security hole or not. I don't even really care if it's a security hole. That's the most minor of problems with this feature. It's all of the special case hacks in the code to accomodate it and the requests for more special case hacks for other parts of the framework that it engenders. --------------------------------------------------------------------- Posted via Jive Forums http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82529#82529 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
