You can put a declarative security line for */deleteUser.action, can't you? Not to say that this is good, in fact it's horrible, but at least it COULD work.
> -----Original Message----- > From: Rickard Öberg [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 02, 2003 2:05 PM > To: [EMAIL PROTECTED] > Subject: Re: [OS-webwork] Re: Action invocation > > > Chris Miller wrote: > > Remind me again why .action causes problems with > declaritive security? > > Surely the real problem is that Webwork currently doesn't > care if an > > arbitrary path is specified in the URL. ie: > > http://www.me.com/abc123/admin/deleteUser.action is treated > the same > > as http://www.me.com/admin/deleteUser.action - which makes it very > > messy to nail down in web.xml. > > That *is* the problem. And itt's not messy; it's impossible! > No matter > how you construct your web.xml I can circumvent it by doing > an arbitrary > path like so: > http://www.me.com/jkldsdfglkjglkdhgdklhg/asdas> dasd/deleteUser.action > > If .action invocations are not allowed then it's possible to use > declarative security. Plus if execution of actions is only > possible if a > URL has been previously associated with it during form creation, then > it's even safer. > > /Rickard > > -- > Rickard Öberg > [EMAIL PROTECTED] > Senselogic > > Got blog? I do. http://dreambean.com > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
