Someone e-mailed me privately the following question about security and the use of DispatchAction and a hidden variable. I'd appreciate any comments....
<pertinent question> When using the dispatch action, you make use of a hidden variable to determine which method with be called. What happens if this hidden variable is changed to a method which does not exist? Is an error thrown (the user can change hidden variables to be malicious). Also, if the user changes the hidden variable from update to insert, will it duplicate the entry of the employee or would you check that the employee already existed. I know for the sake of the tutorial you probably left this out, but this is a common assumption that people make which leads to security holes. </end pertinent question> Would the following help? Keep JSP's under WEB-INF Use LookupDispatchAction instead of DispatchAction Make sure to use token to avoid duplicate inserts Thanks for any Struts user comments on the issue. -- Rick Reumann --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
