> Date: Fri, 5 Feb 2016 15:14:03 +0000 > Subject: Re: SMI on steroids > From: gregh3...@gmail.com > To: dev@struts.apache.org > > To pass globally: > > <global-allowed-methods>regex:prefix(.*)suffix</global-allowed-methods>
Greg: I thought RegEx is enabled only when SMI is disabled? SMI works in the following way:<allowed-methods> / @AllowedMethods is defined per action - SMI works without switching it on but just for those actions (plus adding <global-allowed-methods/>)SMI is enabled but no <allowed-methods> / @AllowedMethods are defined - SMI works but only with <global-allowed-methods/>SMI is disabled - call to any action method is allowed ( Regex: .* ) https://struts.apache.org/docs/action-configuration.html can you confirm the documentation is correct or incorrect? Martin > > On 5 February 2016 at 14:25, Christoph Nenning < > christoph.nenn...@lex-com.net> wrote: > > > > Hi, > > > > > > There is a huge discussion about how SMI should work in case of using > > > wildcard mapping [1]. Basically when action is defined as follow: > > > > > > <action name="person*" class="com.demo.PersonAction" method="{1}"> > > > <result name="success">view.jsp</result> > > > <result name="input">input.jsp</result> > > > </action> > > > > > > SMI will allow access any method in PersonAction class because {1} is > > > translated into RegEx (.*) - as you can see SMI simply won't work > > > here. > > > > > > Greg propose to drop the translation ({1} -> (.*)) and only base on > > > what was defined in <global-allowed-methods/> or <allowed-method/> in > > > that case, thus will truly limit access to methods. > > > > > > wdyt? > > > > > > > > > I agree with Greg. {1} should not be translated to (.*). Is it possible > > for action to define own allowed methods in this case (besides > > annotations)? > > > > > > > > > > Regards, > > Christoph > > > > This Email was scanned by Sophos Anti Virus > >