I'm creating+converting an app with ww2, but this applies to almost all frameworks.
People don't seem to care about the difference between a http GET and POST. Almost everybody just puts their code in performAction() or execute(), without checking the request method. This is also done in most sample code.
If you don't do this somebody could enter an administrator link / image on a forum / comment / whatever that can modify / delete data, or change passwords.
In my own framework, I called doPost() and doGet() just like in servlets. Only doing dataretrievement and cachable things in doGet. Any action that will cause a db modification is done in doPost();
I'm converting to webwork, because I really like the simplicity of it.
I needed the same kind of functionality, so I created a simple isPosted() method to check it, but this also ties me to the web. I don't really care, but a lot of people do.
I was thinking about creating an interceptor, but it seemed to much trouble.. I don't like xml files for this.
I was wondering how you solve this, if you even thought about it at all.
Joris
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
