Jan T. Kim wrote:
>>> (2) Isn't encoding methods in action name suffixes like this a potential
>>> security issue?
>
> So, are wildcards useful for development but have to be expanded before
> putting a system to production use?
The only security issue I'm aware of is if the developer exposes
unwanted behavior in an action by making methods public when they
shouldn't be. A web app should have a real security mechanism in place
anyway, making sure that only users with appropriate access rights are
able to execute actions (or whatever granularity is required).
> Replacing the filename globbing like wildcard system with a complete
> regular expression system would allow writing more precise rules, e.g.
> one could write
>
> <action name="^bleh(_((input)|(dummy)))?$" method="{2}" ...>
> ...
> </action>
>
> and be certain that the method attribute won't take any values other
> than "input", "dummy", or the empty string (which then probably should
> map to the execute method).
I'm sure we'd consider a patch, if such a matcher doesn't already
exist--but personally I'm not convinced of the utility, since it
basically means you'd then have two places to keep up to date: the
action class and its mapping (assuming XML configuration).
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail:
user-unsubscribe@...
For additional commands, e-mail:
user-help@...
