I have worked with Struts at a few different companies now and I noticed
none of them try
to do any checks to see that only POST methods can successfully make it to
Actions
which handle forms submittals. Struts allows GETs and POSTs to make it to
every Action
so it seems like this would be something to think about (or maybe not, that
is one reason
I am asking).
So I guess I have a few questions then:
1. Shouldn't I worry about (and defend against) which request methods
types (GET, POST, etc.) can make it to which actions?
2. If so, does Struts have a built in mechanism like <action
path="/whatever" requestMethod="POST"> or if not
3. Should I be doing something like this at the top of my execute()
method:
if( ! "POST" == request.getMethod() ){ return
mapping.findForward("failure"); } for Actions which should require a POST
only
With #1 I mean should it matter if someone can go to the URL field in the
browser and type in all the field / value pairs for a form
and hit enter (I am thinking it does matter) compared to HAVING to do a POST
for it to succeed?
I am just thinking back to the Servlet programming days when you put the
form submittal handling code in the doPost() and the
other code in the doGet() methods.
Any thoughts on this?
