On Sat, Jan 04, 2003 at 11:39:11AM +0100, Rickard Öberg wrote: > Chris Nokleberg wrote: > >I don't understand this logic. A property default is a default for form > >parameters, obviously it can change. If you want to fix the value for a > >particular mapping, you add it to actions.xml. > > Not quite. In an action there are two "sets" of parameters: > initialization parameters and form parameters. From an action point of > view they are equivalent however, since both are set through set* > methods. If both are set the same way then there is a potential security > problem if a user sets an init parameter through a form submission. I.e. > a parameter which was supposed to be set through some initialization > parameter is instead provided by the user. The way to get around that is to:
> 1) Set form parameters first and init parameters later. However, this > makes it impossible to use the init parameters during the prepare() > step, which is where they would be perhaps most useful. In the current model, if the init parameters were set by a action factory proxy after the form parameters, but before the prepare() call, wouldn't that work? > 2) Require that all init parameters are set in xwork.xml. Even if the > default is ok, the value must be provided again, or else there is a > security hole. Yes, I think this is reasonable though. > Both of these two issues go away if init-parameters are provided through > the context, or similar, i.e. not by calling set* methods in the action. You could do the same thing with the form parameters too, but the simplicity of adding setters to your action outweighs the cost. It seems cleaner to use the same mechanism for init parameters. > >The argument that it will hurt performance is really misleading > >IMHO. You're assuming a certain implementation. > > Sure, I'm assuming reflection. Is there any other way to do it? I sent a message before regarding the use of run-time code generation. It can be orders of magnitude faster (after an initial startup period). -Chris ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
