My understanding is it now on by default, so you will need to use
<global-allowed-methods> and <allowed-methods> latest beta for any methods
that are not standard. save input, execute, etc
But, it currently does not check as if you use method="{1}" or
method="prefix{1}suffix" style it bypasses the checks as it generates a
(.*) and prefix(.*)suffixin it's internal regex.
see com.opensymphony.xwork2.config.entities.AllowedMethods
So its no so strict at the moment.
I will have a look at the docks and try to understand more.
On 5 February 2016 at 16:19, Martin Gainty <mgai...@hotmail.com> wrote:
>
>
> > Date: Fri, 5 Feb 2016 15:14:03 +0000
> > Subject: Re: SMI on steroids
> > From: gregh3...@gmail.com
> > To: dev@struts.apache.org
> >
> > To pass globally:
> >
> > <global-allowed-methods>regex:prefix(.*)suffix</global-allowed-methods>
>
> Greg:
>
> I thought RegEx is enabled only when SMI is disabled?
> SMI works in the following way:<allowed-methods> / @AllowedMethods is
> defined per action - SMI works without switching it on but just for those
> actions (plus adding <global-allowed-methods/>)SMI is enabled but no
> <allowed-methods> / @AllowedMethods are defined - SMI works but only with
> <global-allowed-methods/>SMI is disabled - call to any action method is
> allowed ( Regex: .* )
> https://struts.apache.org/docs/action-configuration.html
> can you confirm the documentation is correct or incorrect?
> Martin
> >
> > On 5 February 2016 at 14:25, Christoph Nenning <
> > christoph.nenn...@lex-com.net> wrote:
> >
> > > > Hi,
> > > >
> > > > There is a huge discussion about how SMI should work in case of using
> > > > wildcard mapping [1]. Basically when action is defined as follow:
> > > >
> > > > <action name="person*" class="com.demo.PersonAction" method="{1}">
> > > > <result name="success">view.jsp</result>
> > > > <result name="input">input.jsp</result>
> > > > </action>
> > > >
> > > > SMI will allow access any method in PersonAction class because {1} is
> > > > translated into RegEx (.*) - as you can see SMI simply won't work
> > > > here.
> > > >
> > > > Greg propose to drop the translation ({1} -> (.*)) and only base on
> > > > what was defined in <global-allowed-methods/> or <allowed-method/> in
> > > > that case, thus will truly limit access to methods.
> > > >
> > > > wdyt?
> > > >
> > >
> > >
> > > I agree with Greg. {1} should not be translated to (.*). Is it possible
> > > for action to define own allowed methods in this case (besides
> > > annotations)?
> > >
> > >
> > >
> > >
> > > Regards,
> > > Christoph
> > >
> > > This Email was scanned by Sophos Anti Virus
> > >
>
