Chris Nokleberg wrote:
Here's another way: define the roles that are allowed to access an
action in xwork.xml, and create an interceptor that checks it. Then it
can work exactly like how web.xml works, except it can do so for the
case where an unsecure action calls a secure action too.
That
-Original Message-
From: Rickard Öberg [mailto:[EMAIL PROTECTED]]
Chris Nokleberg wrote:
Here's another way: define the roles that are allowed to access an
action in xwork.xml, and create an interceptor that checks
it. Then it
can work exactly like how web.xml works, except
Jason Carreira wrote:
Creating an extra interceptor to re-create J2EE declarative security
is at least some extra machinery compared to just using what is
there. I'm not saying that it's bad, in fact I kind of like the idea
of restricting which roles can run packages of actions, but I would
-Original Message-
From: Rickard Öberg [mailto:[EMAIL PROTECTED]]
The problem with that is keeping them in sync. I'd prefer
using one file
with namespaces instead.
I'm planning on using Xdoclet, I don't know about you. :-)
On 3/1/03 7:25 PM, Rickard Öberg ([EMAIL PROTECTED]) penned the words:
Mike Cannon-Brookes wrote:
Hrm - no, this is thinking the wrong way mate :)
If webwork defined paths, security would work perfectly right?
So why not have webwork only 'work' if the path is correct (and defined)?
Ie
Mike Cannon-Brookes wrote:
I have _never_ needed to use the fact that actions can move paths, and I
would hasten to guess that 95% of WebWork users don't care either?
That might be so, yes.
Leave the option open to do both, and we'll satisfy the security problems
(by pinning paths).
Make
Damn! A little late :(.
- Original Message -
From: matt baldree [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, January 04, 2003 9:56 AM
Subject: Re: [OS-webwork] Re: Action invocation
Can someone summarize the issues? If you build XWork the way you want what
would be left out
. With my
help I think that we can address all the open issues, ignore all the jackass
comments, and still get all your cool ideas in.
-Pat
- Original Message -
From: Rickard Öberg [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, January 04, 2003 6:46 AM
Subject: Re: [OS-webwork] Re
Ah well... personally I don't really care, since I have never used
declarative security and will never use it either.
You might change your tune when you're asked to integrate your CMS
product with an existing security framework... Especially if it's a
large user base and they've gone
PROTECTED]]On Behalf Of
Rickard Öberg
Sent: Thursday, January 02, 2003 2:05 PM
To: [EMAIL PROTECTED]
Subject: Re: [OS-webwork] Re: Action invocation
Chris Miller wrote:
Remind me again why .action causes problems with declaritive security?
Surely the real problem is that Webwork currently
Mike Cannon-Brookes wrote:
Hrm - no, this is thinking the wrong way mate :)
If webwork defined paths, security would work perfectly right?
So why not have webwork only 'work' if the path is correct (and defined)?
Ie /admin/foo.action would execute foo, but /bar/admin/foo.action would
execute
On Fri, Jan 03, 2003 at 09:25:43AM +0100, Rickard Öberg wrote:
Mike Cannon-Brookes wrote:
Hrm - no, this is thinking the wrong way mate :)
If webwork defined paths, security would work perfectly right?
So why not have webwork only 'work' if the path is correct (and defined)?
Ie
Ok. Damn. Removing .action invocations would have made things much
simpler, especially for the declarative security users.
Remind me again why .action causes problems with declaritive security?
Surely the real problem is that Webwork currently doesn't care if an
arbitrary path is specified in
Chris Miller wrote:
Remind me again why .action causes problems with declaritive security?
Surely the real problem is that Webwork currently doesn't care if an
arbitrary path is specified in the URL. ie:
http://www.me.com/abc123/admin/deleteUser.action is treated the same as
PROTECTED]
Subject: Re: [OS-webwork] Re: Action invocation
Chris Miller wrote:
Remind me again why .action causes problems with
declaritive security?
Surely the real problem is that Webwork currently doesn't
care if an
arbitrary path is specified in the URL. ie:
http://www.me.com/abc123
Hrm - no, this is thinking the wrong way mate :)
If webwork defined paths, security would work perfectly right?
So why not have webwork only 'work' if the path is correct (and defined)?
Ie /admin/foo.action would execute foo, but /bar/admin/foo.action would
execute nothing.
That way you keep
May be we can add explicit url to action mapping instead of relying on using
the success view. For e.g, something like:
url path=/admin/deleteUser.jsp
action-ref name=admin.deleteUser/
/url
Or that can be implemented as part of a servlet filter configuration.
Regards,
Low
--- Rickard_Öberg
17 matches
Mail list logo
