On 4/11/2018 11:11 AM, Lukasz Lenart wrote: > 2018-04-09 16:59 GMT+02:00 DevaGerald <devasakayam...@gmail.com>: >> Thanks a lot Lukasz. >> >> I have resolved it by adding >> <global-allowed-methods>regex:[a-zA-Z]*</global-allowed-methods> in my >> struts.xml >> >> Do I have any alternative for this? > > No but I didn't want to suggest this as this basically opens a > potential security hole in your app. In this case any public method > can be called especially when using DMI. > I wonder if we can introduce another pattern here like "allow methods > for this class hierarchy": > <allowed-methods>class:BaseAction</allowed-methods> - wdyt? >
As Lukasz correctly mentioned, if you would like to keep better security, then you have to separate or define action methods from other ones. If defining them in xml might make the code clumsy, then couldn't you refactor their names to have a common regex e.g. user*? then e.g. you can define <global-allowed-methods>regex:user[a-zA-Z]*</global-allowed-methods> which separates them from other methods to satisfy security. Regards. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
