You can use global and action allowed methods:
<global-allowed-methods>MyMethod,etc</global-allowed-methods>
<allowed-methods>MyMethod,etc</allowed-methods>
For SMI to work on method="{1}" there is no option as it adds a (.*) so
must be removed.
For method="prefix{1}suffix" it adds a prefix(.*)suffix and if this is
removed all methods would require a definition in either the global or
actions allows
<global-allowed-methods>regex:prefix{..}suffix</global-allowed-methods>
<allowed-methods>prefixMyMethod1suffix,refixMyMethod2suffix,refixMyMethod3suffix</allowed-methods>
Assuming there is a regex for prefix{1}suffix ??
btw I am just highlighting what we need to do to get it working correctly
(not advocating SMI) observations from my testing.
Cheers Greg.
On 5 February 2016 at 14:25, Christoph Nenning <
[email protected]> wrote:
> > Hi,
> >
> > There is a huge discussion about how SMI should work in case of using
> > wildcard mapping [1]. Basically when action is defined as follow:
> >
> > <action name="person*" class="com.demo.PersonAction" method="{1}">
> > <result name="success">view.jsp</result>
> > <result name="input">input.jsp</result>
> > </action>
> >
> > SMI will allow access any method in PersonAction class because {1} is
> > translated into RegEx (.*) - as you can see SMI simply won't work
> > here.
> >
> > Greg propose to drop the translation ({1} -> (.*)) and only base on
> > what was defined in <global-allowed-methods/> or <allowed-method/> in
> > that case, thus will truly limit access to methods.
> >
> > wdyt?
> >
>
>
> I agree with Greg. {1} should not be translated to (.*). Is it possible
> for action to define own allowed methods in this case (besides
> annotations)?
>
>
>
>
> Regards,
> Christoph
>
> This Email was scanned by Sophos Anti Virus
>
