Probably a good idea to be strict, but I have lots of methods, only use DMI, so it may get to be a very long element.
Maybe I could prefix all my required methods with something, ie with allowedPublish() allowedPublishNow() etc and use : <allowed-methods>regex:allowed(([A-Z]?)([a-z]+)?)</allowed-methods> I previously added a salt interceptor and went through changing all sensitive post methods to be one of the below, <interceptor-ref name="ActionSaltInterceptor"> <param name="excludeMethods">*</param> <param name="includeMethods">save,delete,publish*,expire</param> </interceptor-ref> but on general methods there are many, and could be alot or work going through and updating all the screens etc. (no chaining actions) public void refresh() {..} public String query() {..} public String cancel() {..} public String cancelClosed() {..} public String cancelCurrent() {..} public String cancelOpen() {..} public String cancelOpenAuction() {..} On 2 September 2015 at 08:09, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2015-09-01 12:41 GMT+02:00 Greg Huber <gregh3...@gmail.com>: > > The same way interceptors are configured, something like: > > > > <param name="includeMethods">publish*</param> > > > > public String publish() {..} > > public String publishNow() {..} > > but maybe instead of such simple definition it'd be better to allow > specify very strict regex, ie: > > <allowed-methods>regex:publish(([A-Z]?)([a-z]+)?)</allowed-methods> > > wdyt? > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > >