I think lookupdispatch is definetly better than dispatch. -----Original Message----- From: Robert S. Sfeir [mailto:[EMAIL PROTECTED] Sent: Friday, November 14, 2003 9:25 PM To: Struts Users Mailing List Subject: Re: DispatchAction and Security
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 True, but I can at least control the damage, or so it seems. I know NOTHING of the LookupDispatchAction and my reaction was in response to a comment from Tero, and the explanation in the API, it looked like it could be locked down, but perhaps it's a major misconception. You're right, either way someone malicious will always be able to do something to hurt a webapp, I'm just digging in to make sure that I'm not using DispatchAction and causing myself more grief than needed, which you've adequately answered for me, and am grateful for it. Thanks R Paul McCulloch wrote: | I'm note sure that LookupDispatchAction will enable you to lock things down | any more. If you were to lock down a method by removing the entry from the | MethodMap then nothing would be able to use that method! | | If the user can initiate a call to a method from their browser through a | page you have created, then they will be able to call the same method (with | diferent arguments perhaps) from a page of their own creation. | | With web applications I don't think it is ever safe to trust the browser to | only ever make request that you are expecting. A malicious user will always | be able to make an 'illegal' request to your application. | | Paul | | -----Original Message----- | From: Robert S. Sfeir [mailto:[EMAIL PROTECTED] | Sent: 14 November 2003 15:17 | To: Struts Users Mailing List | Subject: Re: DispatchAction and Security | | | | | ************************************** | Axios Email Confidentiality Footer | Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. | WARNING: | While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. | | | Not using LookupDispatchAction, but now that you explain it that way I | can see how LookupDispatchAction can help me lock things down even more. | ~ I hadn't realized that and misunderstood the API docs. | | I think I'll give this a try. | | R | | Paananen, Tero wrote: | | |>So, only methods which you delibaratly implement | |>with the approrpriate sifgnature can be executed | |>via a dispatch action - you shouldn't be | |>concerned. | | | | | | You also have to specify the allowed methods and | | their lookup key in the key method map; see | | getKeyMethodMap(). | | | | -TPP | | | | ----------------------------------------- | | This email may contain confidential and privileged material for the | sole use of the intended recipient(s). Any review, use, retention, | distribution or disclosure by others is strictly prohibited. If you are | not the intended recipient (or authorized to receive for the recipient), | please contact the sender by reply email and delete all copies of this | message. Also, email is susceptible to data corruption, interception, | tampering, unauthorized amendment and viruses. We only send and receive | emails on the basis that we are not liable for any such corruption, | interception, tampering, amendment or viruses or any consequence thereof. | | | | | | --------------------------------------------------------------------- | | To unsubscribe, e-mail: [EMAIL PROTECTED] | | For additional commands, e-mail: [EMAIL PROTECTED] | | - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ************************************** Axios Email Confidentiality Footer Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and notify us immediately. If you or your employer does not consent to Internet email messages of this kind, please advise us immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by my Company or employer unless otherwise indicated by an authorised representative independent of this message. WARNING: While Axios Systems Ltd takes steps to prevent computer viruses from being transmitted via electronic mail attachments we cannot guarantee that attachments do not contain computer virus code. You are therefore strongly advised to undertake anti virus checks prior to accessing the attachment to this electronic mail. Axios Systems Ltd grants no warranties regarding performance use or quality of any attachment and undertakes no liability for loss or damage howsoever caused. - --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/tPrw+cV9vuB27SARAgQRAKCGJ8ptv60L7vESFgOjdrKHuGzwAwCfTh3I a8Wu7YuJKuVNe0JsMTNIiw0= =FLji -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
