You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Andreas Sachs <an...@gmx.de> on 2012/01/03 23:50:41 UTC
strict DMI
Hi,
i like the idea of strict-method-invocation="true" and the possibility to define the allowed methods. I'm just wondering why this is only implemented for DMI and not for wildcard method invocation.
Are there any reasons for this?
Thanks
Andi
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by Andreas Sachs <an...@gmx.de>.
I created one before you: 3735
I will write a comment, that it is a duplicate.
Thanks for the fix in 2.3.2
Andi
-------- Original-Nachricht --------
> Datum: Fri, 6 Jan 2012 15:09:08 -0800
> Von: John Lindal <su...@newplanetsoftware.com>
> An: "Struts Developers List" <de...@struts.apache.org>
> Betreff: Re: strict DMI
> I created a ticket for this:
> https://issues.apache.org/jira/browse/WW-3740
>
> John
>
> On Jan 4, 2012, at 12:00 PM, Andreas Sachs wrote:
>
> > Hi John,
> > thanks for the clarification.
> >
> > But to come back to my original question:
> > Why is <allowed-methods> not available for wildcard method
> > invocation? Even you expected that it is available (your first post).
> >
> > Allowed-methods would be a good possibility to limit the wildcard to
> > some method names.
> >
> > Or is there another possibility to do something like this:
> > <action name="(Method1|Method2|Method3)Crud" class="example.Crud"
> > method="{1}">
> >
> > i expected:
> >
> > <action name="*Crud" class="example.Crud" method="{1}">
> > <allowed-methods>Method1,Method2,Method3</allowed-methods>
> >
> > Thanks for your work
> > Andi
> >
> >
> >
> >
> > --
> > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by John Lindal <su...@newplanetsoftware.com>.
I created a ticket for this: https://issues.apache.org/jira/browse/WW-3740
John
On Jan 4, 2012, at 12:00 PM, Andreas Sachs wrote:
> Hi John,
> thanks for the clarification.
>
> But to come back to my original question:
> Why is <allowed-methods> not available for wildcard method
> invocation? Even you expected that it is available (your first post).
>
> Allowed-methods would be a good possibility to limit the wildcard to
> some method names.
>
> Or is there another possibility to do something like this:
> <action name="(Method1|Method2|Method3)Crud" class="example.Crud"
> method="{1}">
>
> i expected:
>
> <action name="*Crud" class="example.Crud" method="{1}">
> <allowed-methods>Method1,Method2,Method3</allowed-methods>
>
> Thanks for your work
> Andi
>
>
>
>
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by John Lindal <su...@newplanetsoftware.com>.
The wildcard support is limited to *, since (Method1|Method2|Method3)
is actually a regex, not a wildcard.
I agree that allowed-methods ought to limit the wildcard matching.
Can you file a JIRA ticket for this?
Thanks,
John
On Jan 4, 2012, at 12:00 PM, Andreas Sachs wrote:
> Hi John,
> thanks for the clarification.
>
> But to come back to my original question:
> Why is <allowed-methods> not available for wildcard method
> invocation? Even you expected that it is available (your first post).
>
> Allowed-methods would be a good possibility to limit the wildcard to
> some method names.
>
> Or is there another possibility to do something like this:
> <action name="(Method1|Method2|Method3)Crud" class="example.Crud"
> method="{1}">
>
> i expected:
>
> <action name="*Crud" class="example.Crud" method="{1}">
> <allowed-methods>Method1,Method2,Method3</allowed-methods>
>
> Thanks for your work
> Andi
>
>
>
>
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by Andreas Sachs <an...@gmx.de>.
Hi John,
thanks for the clarification.
But to come back to my original question:
Why is <allowed-methods> not available for wildcard method invocation? Even you expected that it is available (your first post).
Allowed-methods would be a good possibility to limit the wildcard to some method names.
Or is there another possibility to do something like this:
<action name="(Method1|Method2|Method3)Crud" class="example.Crud" method="{1}">
i expected:
<action name="*Crud" class="example.Crud" method="{1}">
<allowed-methods>Method1,Method2,Method3</allowed-methods>
Thanks for your work
Andi
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by John Lindal <su...@newplanetsoftware.com>.
Actually, the wiki did mention that "method" is in addition to allowed-
methods. I have updated it to make it clearer and also explain that
since wildcards are specified in the "method", this is not blocked by
allowed-methods. I also added a note about allowed-methods without
strict-method-invocation. (They are independent.)
Thanks for the feedback.
John
On Jan 4, 2012, at 12:49 AM, Andreas Sachs wrote:
> According to the documentation:
> In Struts 2.3, an option was added to restrict the methods that DMI
> can invoke. First, set the attribute strict-method-invocation="true"
> on your <package> element. Then specify <allowed-methods> as a comma-
> separated list of method names in your <action>. A request for any
> other method will be rejected. (If you specify a method attribute
> for your action, you do not need to list it in <allowed-methods>.)
>
> It's not defined what will happen if a method attribute for the
> action is specified (wildcard or not) and <allowed-methods> is also
> specified.
>
> Can you make the documentation of <allowed-methods> and strict-
> method-invocation more clear?
>
> What does strict-method-invocation mean:
> set to true:
> -method attribute must be specified or allowed-methods must be
> defined?
>
> set to false:
> -method attribute need not be specified and allowed-methods need not
> be defined. But what will happen if i add allowed-methods? (is the
> invocation limited to these methods?)
>
>
> What does <allowed-methods> mean:
> If a method attribute and allowed-methods is specified, will
> allowed-methods be respected (this makes only sense if the method
> attribute contains a wildcard)?
>
>
> From my point of view <allowed-methods> should be treated
> independently of strict-method-invocation:
>
> allowed_method: if specified, it should be respected, even if strict-
> method-invocation is turned off.
> strict-method-invocation: if turned on, methods must be specified
> (by method-attribute or allowed_method)
>
>
> Thanks
> Andi
>
>
>
> -------- Original-Nachricht --------
>> Datum: Tue, 3 Jan 2012 15:42:50 -0800
>> Von: John Lindal <su...@newplanetsoftware.com>
>> An: "Struts Developers List" <de...@struts.apache.org>
>> Betreff: Re: strict DMI
>
>> I think the <allowed-methods> tag inside an <action> controls both.
>>
>> John
>>
>> On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
>>
>>> Hi,
>>> i like the idea of strict-method-invocation="true" and the
>>> possibility to define the allowed methods. I'm just wondering why
>>> this is only implemented for DMI and not for wildcard method
>>> invocation.
>>> Are there any reasons for this?
>>>
>>> Thanks
>>> Andi
>>> --
>>> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
>>> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>
> --
> NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
> Jetzt informieren: http://www.gmx.net/de/go/freephone
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by Andreas Sachs <an...@gmx.de>.
According to the documentation:
In Struts 2.3, an option was added to restrict the methods that DMI can invoke. First, set the attribute strict-method-invocation="true" on your <package> element. Then specify <allowed-methods> as a comma-separated list of method names in your <action>. A request for any other method will be rejected. (If you specify a method attribute for your action, you do not need to list it in <allowed-methods>.)
It's not defined what will happen if a method attribute for the action is specified (wildcard or not) and <allowed-methods> is also specified.
Can you make the documentation of <allowed-methods> and strict-method-invocation more clear?
What does strict-method-invocation mean:
set to true:
-method attribute must be specified or allowed-methods must be defined?
set to false:
-method attribute need not be specified and allowed-methods need not be defined. But what will happen if i add allowed-methods? (is the invocation limited to these methods?)
What does <allowed-methods> mean:
If a method attribute and allowed-methods is specified, will allowed-methods be respected (this makes only sense if the method attribute contains a wildcard)?
>From my point of view <allowed-methods> should be treated independently of strict-method-invocation:
allowed_method: if specified, it should be respected, even if strict-method-invocation is turned off.
strict-method-invocation: if turned on, methods must be specified (by method-attribute or allowed_method)
Thanks
Andi
-------- Original-Nachricht --------
> Datum: Tue, 3 Jan 2012 15:42:50 -0800
> Von: John Lindal <su...@newplanetsoftware.com>
> An: "Struts Developers List" <de...@struts.apache.org>
> Betreff: Re: strict DMI
> I think the <allowed-methods> tag inside an <action> controls both.
>
> John
>
> On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
>
> > Hi,
> > i like the idea of strict-method-invocation="true" and the
> > possibility to define the allowed methods. I'm just wondering why
> > this is only implemented for DMI and not for wildcard method
> > invocation.
> > Are there any reasons for this?
> >
> > Thanks
> > Andi
> > --
> > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: strict DMI
Posted by John Lindal <su...@newplanetsoftware.com>.
I think the <allowed-methods> tag inside an <action> controls both.
John
On Jan 3, 2012, at 2:50 PM, Andreas Sachs wrote:
> Hi,
> i like the idea of strict-method-invocation="true" and the
> possibility to define the allowed methods. I'm just wondering why
> this is only implemented for DMI and not for wildcard method
> invocation.
> Are there any reasons for this?
>
> Thanks
> Andi
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org