Re: DispatchChainAction (Struts 1.3)

[Don Brown <mr...@twdata.org>]

You raise a good point.  Unfortunately, only one parameter can be passed 
through ActionMapping.  DispatchChainAction really needs an 
"allowedCommands" parameter to specify what commands would be allowed. 
Perhaps we could use the new set/getProperty methods available in 
ActionConfig where allowedCommands could be specified.

Don

Benedict, Paul C wrote:
> I noticed in Struts 1.3 there is a DispatchChainAction, and the parameter
> attribute specifies the name of the chain to execute. Would somebody
> consider that a security hole? It seems like anyone could arbitrarily
> execute any chain command in the entire Struts app if they knew it -- unlike
> a normal DispatchAction whose parameter is only relevant for that Action
> class.
> 
> Also, I hope there will be a MappingDispatchChainAction too. The
> MappingDispatchAction is, in my opinion, the absolute best feature of Struts
> 1.2 and secures the internals of the app better (i.e., not exposing method
> names to the world). However, it seems that it would be impossible to
> implement (currently) since the parameter attribute is already in use for
> the chain command.
> 
> Thanks,
> Paul
> 
> 
> ------------------------------------------------------------------------------
> Notice:  This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message.  If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system.
> ------------------------------------------------------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: DispatchChainAction (Struts 1.3)

[Joe Germuska <Jo...@Germuska.com>]

At 11:04 AM -0800 12/21/04, Don Brown wrote:
>You raise a good point.  Unfortunately, only one parameter can be 
>passed through ActionMapping.  DispatchChainAction really needs an 
>"allowedCommands" parameter to specify what commands would be 
>allowed. Perhaps we could use the new set/getProperty methods 
>available in ActionConfig where allowedCommands could be specified.

Actually, the main reason for implementing the getProperty(String) 
extension to ActionConfig was for the Chain Actions to be able to 
pass more parameters in.  I don't use the request parameter 
dispatching (in fact, this seems to me a pretty good argument against 
it even outside of chain), but for the version which is configured 
using the ActionMapping, you need to be able to pass in the name of 
the catalog as well as the command.  My thought was that the 
ChainAction would be updated to use two properties in the 
ActionMapping instead of the one "parameter" value.  It really isn't 
right to assume that the commands are in any specific catalog.

I suppose that using this facility to set the name of the catalog 
might provide at least a layer of obscurity, if you only dispatched 
to commands in a private chain - but you are still exposing the names 
of valid commands in the request values.  Since I don't use the 
dispatching, I would defer to someone else to decide whether that 
class should use a different param to get the catalog name, or should 
get the catalog name from the ActionMapping, or something else...

Joe




>Don
>
>Benedict, Paul C wrote:
>>I noticed in Struts 1.3 there is a DispatchChainAction, and the parameter
>>attribute specifies the name of the chain to execute. Would somebody
>>consider that a security hole? It seems like anyone could arbitrarily
>>execute any chain command in the entire Struts app if they knew it -- unlike
>>a normal DispatchAction whose parameter is only relevant for that Action
>>class.
>>
>>Also, I hope there will be a MappingDispatchChainAction too. The
>>MappingDispatchAction is, in my opinion, the absolute best feature of Struts
>>1.2 and secures the internals of the app better (i.e., not exposing method
>>names to the world). However, it seems that it would be impossible to
>>implement (currently) since the parameter attribute is already in use for
>>the chain command.
>>
>>Thanks,
>>Paul
>>
>>
>>------------------------------------------------------------------------------
>>Notice:  This e-mail message, together with any attachments, 
>>contains information of Merck & Co., Inc. (One Merck Drive, 
>>Whitehouse Station, New Jersey, USA 08889), and/or its affiliates 
>>(which may be known outside the United States as Merck Frosst, 
>>Merck Sharp & Dohme or MSD and in Japan, as Banyu) that may be 
>>confidential, proprietary copyrighted and/or legally privileged. It 
>>is intended solely for the use of the individual or entity named on 
>>this message.  If you are not the intended recipient, and have 
>>received this message in error, please notify us immediately by 
>>reply e-mail and then delete it from your system.
>>------------------------------------------------------------------------------
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>For additional commands, e-mail: dev-help@struts.apache.org


-- 
Joe Germuska            
Joe@Germuska.com  
http://blog.germuska.com    
"Narrow minds are weapons made for mass destruction"  -The Ex

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org