You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Don Brown <do...@gmail.com> on 2006/08/21 20:26:26 UTC
[s2] Action ! Method syntax (was Freemarker transform name)
Ok, this issue breaks down like this in my mind:
1. Should our tags (url, form, etc) have attributes for the
namespace, action, and method, or just have one for the url?
2. Should our default ActionMapper allow the method to be specified in the url?
Issue #1 goes back to the more fundamental issue of whether Struts 2
is a _web_ framework that treats URLs as king or a more general app
framework that hides the URL from the developer. Personally, I think
Struts 2 should be centered around the concept of the URL and not be
hidden. Even in the case of portlets, the concept of a identifying
string for the controller is important. If you want the framework
hide the HTTP and HTML from you, JSF or Wicket might be a better
framework than Struts.
Issue #2 I think is moot because of the new Able stuff Patrick has
done, which contains an ActionMapper that works without any
configuration. He's opening a ticket and I'm sure we'll be discussing
it further at a later time.
Therefore, the main issue at hand is #1, whether to hide the URL from
the user by breaking it down into defined components, or to expose the
URL, as a whole, to the developer. I think we should remove the
method and namespace attributes on the tags and elevate the status of
the URL in Struts 2.
Don
The core issue here is whether we want to allow tags to specify the
method and therefore the URL. If there are legimate benefits to
continuing to support explicit method naming, and from Patrick's Able
stuff it seems there are, I'm fine with reverting those changes.
Wildcards can still be used and
On 8/21/06, Patrick Lightbody <fo...@opensymphony.com> wrote:
> Ted,
> I'm still not yet on board with removing the ! syntax until we have a solid replacement. I don't think pointing to wildcards is enough, especially since you would have to create a wildcard for every namespace. That is more configuration than I'm willing to recommend to our users.
>
> I would, however, be open to introducing the type of action mapping and convention-based configuration I have put in to Able, while still also supporting struts.xml:
>
> http://svn.opensymphony.com/fisheye/browse/sandbox/able/src/main/java/com/opensymphony/able/webwork/AbleActionMapper.java?r=7
>
> http://svn.opensymphony.com/fisheye/browse/sandbox/able/src/main/java/com/opensymphony/able/webwork/AbleConfiguration.java?r=4
>
> But without something like the above, or with a way to use wildcards for multiple namespaces, I cannot readily agree to dropping the ! syntax.
>
> I know that the overriding concern is "security". I have a few thoughts on that:
>
> 1) I would suggest reaching out to the big WebWork users (Jive, Atlassian, Google, others) to see if this is something that has concerned them in the past. My feeling is that it isn't a big concern, because they understand anything in an action is "fair game" to URL manipulators and that that has always been clearly understood.
>
> 2) Assuming we want to make method invocation more obvious, we could require an annotation or a convention such as as doXxx, such as RIFE does.
> ---------------------------------------------------------------------
> Posted via Jive Forums
> http://forums.opensymphony.com/thread.jspa?threadID=40884&messageID=81481#81481
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/21/06, Ted Husted <hu...@apache.org> wrote:
> > I know that the overriding concern is "security".
Oops, that was Patrick speaking, not Don.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Niall Pemberton <ni...@gmail.com>.
On 8/25/06, Craig McClanahan <cr...@apache.org> wrote:
> On 8/25/06, Frank W. Zammetti <fz...@omnytex.com> wrote:
> >
> > It's interesting that no one says DispatchAction in 1.x is a security
> > flaw... doesn't that give you exactly the same thing just with a
> > different call semantic? I guess we should quick drop Dispatch-type
> > Actions for everyones' safety!! ;) LOL
>
>
> The security concern isn't actually around the action execution methods
> themselves -- as has been pointed out, the whole *purpose* of these methods
> is to be called by mapping from a URL. Instead, it's around other public
> methods (perhaps on non-action classes) that happen to have the same
> parameter signature as your action methods, which enables calls to methods
> that were not intended to be actions. You can indeed shoot yourself in the
> foot in this manner even with DispatchAction if you are not careful,
> although the potential for mischief is somewhat smaller because you can't
> necessarily point at any arbitrary bean ... only the ones your actions are
> mapped to.
>
> I'm quite interested in how this gets resolved, because Shale Remoting has a
> similar sort of vulnerabiilty (you can map to arbitrary methods for invoking
> it's notion of an action), and it gets dinged for this being a security
> vulnerability as well. I'd like to resolve it in a manner that is
> conceptually similar to what Struts does, if feasible.
Looking at it from a slightly different perspective - even if you have
a method/action that you do want to expose theres always a requirement
to permit some users access and deny others. Virtually every part of
out app is protected in this way, asking the question "is the user
permitted to do this?". So rather than blaming the syntax that allows
people to configure/code in a way they prefer (wildcards, dispatch,
POJO methods etc) isn't the issue that security features need to keep
pace with other cool developments in the framework - e.g. along with
wildcard mapping, needs to come wildcard security.
Niall
> Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
I believe DWR too has a similar concern, conceptually. They have some
configuration parameters to deal with it. I wonder though if my
suggestion about securing all methods maybe isn't all that wacky?
Step 1... let's say we have a silly XML file like so:
<methodSecurity>
<role name="user1" />
<role name="user2" />
<class name="com.company.app.MyActionClass">
<restrict method="method1">user1,user2</restrict>
<restrict method="method2">user2</restrict>
</class>
</methodSecurity>
So, by default, all methods of all classes are accessible. All hail
backwards-compatibility :)
Step 2... there is a "magic session attribute" named, creatively enough,
UserRole. It is the application developers' responsibility to ensure
this gets set, during some sort of logon procedure, or whenever they
feel it appropriate. It should obviously match one of the <role> entries.
Step 3... For each method the framework attempts to call on an Action of
backing bean, it does a lookup... is the class being used mapped in the
config file? If so, is there a restriction placed on the method being
called? If so, is the user a member of one of the named groups? If so,
the method can execute (think of that <restrict> tag as saying "restrict
this method of this class to the following groups). Any other user
would not be able to execute it. If a method is unmapped, it can be
executed by anyone.
Now, the smart way to develop this of course would be to have a
switchable implementation, because if container-managed security is in
play, you'd want to work with isUserInRole(), and then the developer
doesn't have to do anything except provide the mapping file.
And of course, for the annotation fans out there, it's just a matter of
having the equivalent of those <restruct> tags annotating each method.
I don't perceive any of this as being rocket science, nor do I think
this is an original suggestion really, but I think it would alleviate
the concerns quite nicely. What do you think?
Frank
Craig McClanahan wrote:
> On 8/25/06, Frank W. Zammetti <fz...@omnytex.com> wrote:
>>
>> It's interesting that no one says DispatchAction in 1.x is a security
>> flaw... doesn't that give you exactly the same thing just with a
>> different call semantic? I guess we should quick drop Dispatch-type
>> Actions for everyones' safety!! ;) LOL
>
>
> The security concern isn't actually around the action execution methods
> themselves -- as has been pointed out, the whole *purpose* of these methods
> is to be called by mapping from a URL. Instead, it's around other public
> methods (perhaps on non-action classes) that happen to have the same
> parameter signature as your action methods, which enables calls to methods
> that were not intended to be actions. You can indeed shoot yourself in the
> foot in this manner even with DispatchAction if you are not careful,
> although the potential for mischief is somewhat smaller because you can't
> necessarily point at any arbitrary bean ... only the ones your actions are
> mapped to.
>
> I'm quite interested in how this gets resolved, because Shale Remoting
> has a
> similar sort of vulnerabiilty (you can map to arbitrary methods for
> invoking
> it's notion of an action), and it gets dinged for this being a security
> vulnerability as well. I'd like to resolve it in a manner that is
> conceptually similar to what Struts does, if feasible.
>
> Craig
>
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: fzammetti@hotmail.com
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Craig McClanahan <cr...@apache.org>.
On 8/25/06, Frank W. Zammetti <fz...@omnytex.com> wrote:
>
> It's interesting that no one says DispatchAction in 1.x is a security
> flaw... doesn't that give you exactly the same thing just with a
> different call semantic? I guess we should quick drop Dispatch-type
> Actions for everyones' safety!! ;) LOL
The security concern isn't actually around the action execution methods
themselves -- as has been pointed out, the whole *purpose* of these methods
is to be called by mapping from a URL. Instead, it's around other public
methods (perhaps on non-action classes) that happen to have the same
parameter signature as your action methods, which enables calls to methods
that were not intended to be actions. You can indeed shoot yourself in the
foot in this manner even with DispatchAction if you are not careful,
although the potential for mischief is somewhat smaller because you can't
necessarily point at any arbitrary bean ... only the ones your actions are
mapped to.
I'm quite interested in how this gets resolved, because Shale Remoting has a
similar sort of vulnerabiilty (you can map to arbitrary methods for invoking
it's notion of an action), and it gets dinged for this being a security
vulnerability as well. I'd like to resolve it in a manner that is
conceptually similar to what Struts does, if feasible.
Craig
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
Jason Carreira wrote:
>> ...unless you really want to take the security
>> exercise all the way,
>> i.e., secure each and every method via
>> container-managed security using
>> annotations (ideally) to configure what roles/users
>> can access what
>> methods, thereby taking the URI out of the equation
>> entirely... if you
>> aren't in an allowed role, you can't execute the
>> method, regardless of
>> what URI was used to request it.
>>
>> Might not be a bad feature actually, but seems like a
>> bit of overkill to
>> me :)
>>
>
> I do this now, with Acegi and Spring. Not so much on actions, but on the Services they call.
And that's where we tend to do it too, but by using container-managed
security to secure EJB methods instead. The problem I've always had
with it though is that I have to handle that in my Actions, or in the
facade anyway... what if an Action tries to call a method that the user
doesn't have access to? I'd expect to get an exception, which I have to
catch and handle in some graceful way (graceful as far as the user is
concerned). I'm thinking that maybe if this happened before the Action
was invoked, it might be possible to handle it a little more gracefully,
i.e., maybe I can declare some sort of "security exception" page to
redirect to. Obviously you could do this on your own, but it'd be nice
if the framework handled it since this strikes me as a framework-y kinda
thing :)
> Let's not re-invent the wheel.
Yeah, but that's what I *do*! (http://javawebparts.sourceforge.net) ;) LOL
Frank
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: fzammetti@hotmail.com
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
> ...unless you really want to take the security
> exercise all the way,
> i.e., secure each and every method via
> container-managed security using
> annotations (ideally) to configure what roles/users
> can access what
> methods, thereby taking the URI out of the equation
> entirely... if you
> aren't in an allowed role, you can't execute the
> method, regardless of
> what URI was used to request it.
>
> Might not be a bad feature actually, but seems like a
> bit of overkill to
> me :)
>
I do this now, with Acegi and Spring. Not so much on actions, but on the Services they call.
Let's not re-invent the wheel.
RE: This being a security hole or not. I don't even really care if it's a security hole. That's the most minor of problems with this feature. It's all of the special case hacks in the code to accomodate it and the requests for more special case hacks for other parts of the framework that it engenders.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82529#82529
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
It's interesting that no one says DispatchAction in 1.x is a security
flaw... doesn't that give you exactly the same thing just with a
different call semantic? I guess we should quick drop Dispatch-type
Actions for everyones' safety!! ;) LOL
I'm with you Ian... doesn't seem like a security flaw to me... it's just
a nice way to cut down on config file clutter in the end. Public vs.
private does the trick as far as "security" goes I'd say, adding an
annotation to maybe make it more explicit wouldn't hurt...
...unless you really want to take the security exercise all the way,
i.e., secure each and every method via container-managed security using
annotations (ideally) to configure what roles/users can access what
methods, thereby taking the URI out of the equation entirely... if you
aren't in an allowed role, you can't execute the method, regardless of
what URI was used to request it.
Might not be a bad feature actually, but seems like a bit of overkill to
me :)
Frank
Bob Lee wrote:
> On 8/25/06, Ian Roughley <ia...@fdar.com> wrote:
>>
>> I have to say that I still don't really understand why this is a
>> security flaw. I can understand that calling any public method on a
>> class may not be a good thing, but let's face it, actions are *meant* to
>> be called via a URL. If there is a security issue - then it is an
>> application security issue - because the method is NOT doing the
>> required checks to ensure this is a valid request.
>
>
> Good point. Why require an annotation when you can just not make your
> method
> public? If we're afraid users won't know about this feature and will
> accidentally leave methods public, more prominently document the feature.
>
> Bob
>
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: fzammetti@hotmail.com
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Bob Lee <cr...@crazybob.org>.
On 8/25/06, Ian Roughley <ia...@fdar.com> wrote:
>
> I have to say that I still don't really understand why this is a
> security flaw. I can understand that calling any public method on a
> class may not be a good thing, but let's face it, actions are *meant* to
> be called via a URL. If there is a security issue - then it is an
> application security issue - because the method is NOT doing the
> required checks to ensure this is a valid request.
Good point. Why require an annotation when you can just not make your method
public? If we're afraid users won't know about this feature and will
accidentally leave methods public, more prominently document the feature.
Bob
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/25/06, Ian Roughley <ia...@fdar.com> wrote:
> I've also used the ! notation extensively, and am disappointed that it
> is being removed.
No one ever suggested that it be removed. It's been suggested that we
try to replicate the same functionality with wildcards. I tried it
myself in an example, and it seemed to work just fine.
> One thing that I have not seen any mention of yet is conflicting
> mappings - what happens? Which has the priority? What happens if larger
> application want one to take preference in one circumstance, and a
> different one under another scenario? I would argue that a sufficiently
> large application has not been converted to ensure these issues would
> not arise.
Which is why we added the switch. So people could try things
alternatives and see how well they worked.
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ian Roughley <ia...@fdar.com>.
I've also used the ! notation extensively, and am disappointed that it
is being removed. I find that the 1-1 mapping from the URL to the
method on an action is simple to follow and easy to understand.
One thing that I have not seen any mention of yet is conflicting
mappings - what happens? Which has the priority? What happens if larger
application want one to take preference in one circumstance, and a
different one under another scenario? I would argue that a sufficiently
large application has not been converted to ensure these issues would
not arise.
> As it stands in this moment in time, we have a switch around the !
> idiom, because it is a security flaw that people need to understand
> before enabling, and that's all.
I have to say that I still don't really understand why this is a
security flaw. I can understand that calling any public method on a
class may not be a good thing, but let's face it, actions are *meant* to
be called via a URL. If there is a security issue - then it is an
application security issue - because the method is NOT doing the
required checks to ensure this is a valid request.
On more of an implementation / existing knowledge approach - if this is
a Stuts to Struts2 conversions, then there will only be one method, the
execute() method. If this is a WebWork to Strut2 conversion then the
developers should be aware that this feature is available.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/24/06, Jason Carreira <fo...@opensymphony.com> wrote:
> Not YET... that's what the conversation was about as I read it... when, not if.
Hmmm, could be if. At this point, no one is sure, because no one has
tried very hard to do the same thing (better) without the ! syntax.
Doing it with mappings and flexing the stack is good, but it's hard to
say it's actually better.
If we can find an alternative, we can, if we can't. Patrick has a
veto, like everyone else on the PMC, and so long as there's a
technical justification for leaving it in (and right now there is),
then the veto would be valid, and what the rest of us think wouldn't
matter.
As it stands in this moment in time, we have a switch around the !
idiom, because it is a security flaw that people need to understand
before enabling, and that's all. The only mention of deprecation was
an aside in the release notes, which I removed ealier in the week.
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Bob Lee <cr...@crazybob.org>.
We use the "!" syntax, and I'd really like something more secure to replace
it (store valid methods in the session, signed URLs, something), but I'm OK
with defaulting the flag to "off."
Bob
On 8/24/06, Jason Carreira <fo...@opensymphony.com> wrote:
>
> >
> > First off: we're *not* deprecating and removing the !
> > notation at this point. That is what this discussion
> > is entirely about.
>
> Not YET... that's what the conversation was about as I read it... when,
> not if.
>
> >
> > Why not disable getters and setters by default too
> > and require people pull out the request parameters by
> > hand until they switch the security flag? Obviously
> > because it makes no sense. It is core to working with
> > actions. And I'm here to argue fervidly that the
> > pattern of URLs like "create!input" is way too common
> > in my applications to just turn off by default
> > without some longer discussion. My goal is to make
> > sure that the leaders of Struts have their styles of
> > web development represented in a common set of
> > defaults - it would be a big mistake for Struts and a
> > big loss to the community if I went off with my own
> > ActionMapper and never looked back.
> >
>
> Turning off property setting is a spurious argument. It's the most common
> thing people want to do. The "!" notation was always an advanced feature
> (hack). For my style of development, the flag will be turned off to make
> sure no-one's trying to use it.
>
> > I've put forward alternatives, such as a convention
> > (doXxx) or annotation (@ActionMethod) to indicate
> > that methods can be called. But I'm currently very
> > far from convinced that turning off that switch by
> > default is a good idea at all. I'd like for Ted to
> > respond to my proposed alternatives.
>
> So if you know the setting is there and you can turn it on, even if it's
> off by default, then where's the harm? We're just saying that for the new
> user, who isn't familiar with the "!" notation, they don't get surprised
> when someone can hit any method on their action using the "!" notation.
> ---------------------------------------------------------------------
> Posted via Jive Forums
>
> http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82264#82264
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Zhengmao Hou <zh...@hotmail.com>.
Hi, guys, would you please move me out of the group? I tried to email to
dev-unsubscribe@struts.apache.org, but it doesn't work.
Please and Thanks.
>From: Jason Carreira <fo...@opensymphony.com>
>Reply-To: dev@struts.apache.org
>To: dev@struts.apache.org
>Subject: Re: [s2] Action ! Method syntax (was Freemarker transform name)
>Date: Fri, 25 Aug 2006 14:04:37 CDT
>
> >
> > My understanding was that wildcards was much more
> > about reducing configuration and introducing
> > conventions rather than addressing any perceived
> > issues about multiple entry points on the action.
> >
>
>You say "multiple entry points on the action" like you can't have that
>without the "!" notation. I map lots of action configs to one action class
>without this. On the wildcard front, the sign of a good tool is one that
>can be used for multiple purposes ;-)
>
> > Yes, this is a best practice. And many people use and
> > depend on being able to invoke those methods from URL
> > constructs (either in the form of ! or with a
> > parameter name such as "method:cancel", which
> > addresses cancel buttons on forms).
> >
>
>Ok, so let's separate those and see if there's solutions to each.
>
> >
> > No, we cannot. The major problem that comes to mind
> > is the cancel button.
> >
>
>Ok, so if we came up with a different solution to that one, would it be
>acceptable?
>
>
>It sounds like more people than I thought use the "!" notation. I
>personally hate it, but if we want to leave it on by default that's fine...
>as long as I can turn it off (finally).
>---------------------------------------------------------------------
>Posted via Jive Forums
>http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82486#82486
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>For additional commands, e-mail: dev-help@struts.apache.org
>
_________________________________________________________________
Check the weather nationwide with MSN Search: Try it now!
http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
>
> My understanding was that wildcards was much more
> about reducing configuration and introducing
> conventions rather than addressing any perceived
> issues about multiple entry points on the action.
>
You say "multiple entry points on the action" like you can't have that without the "!" notation. I map lots of action configs to one action class without this. On the wildcard front, the sign of a good tool is one that can be used for multiple purposes ;-)
> Yes, this is a best practice. And many people use and
> depend on being able to invoke those methods from URL
> constructs (either in the form of ! or with a
> parameter name such as "method:cancel", which
> addresses cancel buttons on forms).
>
Ok, so let's separate those and see if there's solutions to each.
>
> No, we cannot. The major problem that comes to mind
> is the cancel button.
>
Ok, so if we came up with a different solution to that one, would it be acceptable?
It sounds like more people than I thought use the "!" notation. I personally hate it, but if we want to leave it on by default that's fine... as long as I can turn it off (finally).
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82486#82486
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> Just to step back a moment, let's be clear that the
> original
> suggestion, which stemmed from the "Rough Spots"
> discussion, was that
> we experiment with using wildcards to provide the
> same functionality
> as the "!" syntax. If that experiment provided
> fruitful, we would
> then, only only then, remove the hardwired "!" in
> favor of a wildcard
> solution, that mimicked the same functionality, so
> that existing pages
> did not need to change.
My understanding was that wildcards was much more about reducing configuration and introducing conventions rather than addressing any perceived issues about multiple entry points on the action.
> My own initial trial was successful. I was able to
> substitute a
> wildcard for the "!" in a prior revision of the
> MailReader
> application, without changing the server pages. (One
> exception was a
> form that didn't specify an action, but I expect few
> people do that
> now.) Hopefully, others will make the same trial with
> their own
> applications.
>
> If we can use wildcards instead of the "!", then we
> can take out
> excepton code, and focus on stabalizing the code for
> wildcards
> generally, instead of "!" specifically.
>
> Right now, the switch serves two clear purposes. One
> it closes a
> security gap, or at least makes the gap optional.
> Two, it makes it
> possible for people to experiment with using
> wildcards in lieu of the
> bang construct.
>
> Now, along the way, in another discussion, I asked if
> using multiple
> methods was really a best practice, and the general
> answer was that
> alternate methods were considered an elegant and
> pragmatic practice,
> and clearly the best practice that anyone has
> defined. But that was a
> separate discussion.
Yes, this is a best practice. And many people use and depend on being able to invoke those methods from URL constructs (either in the form of ! or with a parameter name such as "method:cancel", which addresses cancel buttons on forms).
> As it stands, I think we are at the point where
> people need to put
> what we already have to the test. Can we use the
> simple, general
> purpose wildcards *we already have* to mimick the "!"
> functionality?
> If not, why not? And, can you show us what we can't
> do in a working
> example?
No, we cannot. The major problem that comes to mind is the cancel button.
> There is no reason for alarm or discord. The only
> thing that has a
> changed is a one-line setting in a properties file.
> Meanwhile, having
> the setting is closing a backdoor that some people
> might overlook, and
> it is helping us identify where the special-case code
> is now, so if we
> are able to *replace* the functionality with
> general-puroose code, we
> will know where to make the changes.
>
> -Ted.
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> dev-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82480#82480
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/25/06, Jason Carreira <fo...@opensymphony.com> wrote:
> >
> > Following up to myself: I want to also make it clear
> > that I'm not opposed to changing my way of doing
> > things, but so far I haven't seen anything that seems
> > any better than what I'm doing now. I'm happy to
> > explain more about how the ! syntax is used with all
> > my forms, so that alternative approaches can be
> > proposed to me.
>
> Well, how about a proposal for something that does what you want but meets people's
> security concerns?
Just to step back a moment, let's be clear that the original
suggestion, which stemmed from the "Rough Spots" discussion, was that
we experiment with using wildcards to provide the same functionality
as the "!" syntax. If that experiment provided fruitful, we would
then, only only then, remove the hardwired "!" in favor of a wildcard
solution, that mimicked the same functionality, so that existing pages
did not need to change.
My own initial trial was successful. I was able to substitute a
wildcard for the "!" in a prior revision of the MailReader
application, without changing the server pages. (One exception was a
form that didn't specify an action, but I expect few people do that
now.) Hopefully, others will make the same trial with their own
applications.
If we can use wildcards instead of the "!", then we can take out
excepton code, and focus on stabalizing the code for wildcards
generally, instead of "!" specifically.
Right now, the switch serves two clear purposes. One it closes a
security gap, or at least makes the gap optional. Two, it makes it
possible for people to experiment with using wildcards in lieu of the
bang construct.
Now, along the way, in another discussion, I asked if using multiple
methods was really a best practice, and the general answer was that
alternate methods were considered an elegant and pragmatic practice,
and clearly the best practice that anyone has defined. But that was a
separate discussion.
As it stands, I think we are at the point where people need to put
what we already have to the test. Can we use the simple, general
purpose wildcards *we already have* to mimick the "!" functionality?
If not, why not? And, can you show us what we can't do in a working
example?
There is no reason for alarm or discord. The only thing that has a
changed is a one-line setting in a properties file. Meanwhile, having
the setting is closing a backdoor that some people might overlook, and
it is helping us identify where the special-case code is now, so if we
are able to *replace* the functionality with general-puroose code, we
will know where to make the changes.
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/25/06, Nick Hill <fo...@opensymphony.com> wrote:
> As a heavy user of webwork, I must say that I have to agree with Patrick in this case. Our
> xml config file is already enormous and having to duplicate definitions for different
>methods of the same action would be a real mess. I don't really care
about what is set as
>the "default", but I would really hate to see the ! syntax go away.
No one is disagreeing with Patrick or saying that the ! syntax should go away.
The most anyone has ever said is that we should try and replace the
buggy special-case "!" code with a generalized wildcard feature.
I've tried doing this myself in an example
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Bob Lee <cr...@crazybob.org>.
Also, in regard to security, we can require that methods invoked with the !
convention have a @Public annotation or something. Method explicitly listed
in the struts.xml won't need this annotation.
Wildcards will make it harder to differentiate these two cases. You could
argue that you don't need the annotation at all because the effect is
localized to one action, but I'm not sure that makes me feel any better.
The other problem with wildcards is now I have this pattern repeated
throughout my configuration (possibly inconsistently) instead of provided as
a first class feature.
I personally want my configuration and URL pattern decoupled as much as
possible. For example, I don't want to see ".action" in my redirect results
and form actions.
Bob
On 8/25/06, Nick Hill <fo...@opensymphony.com> wrote:
>
> I am one of the engineers at Jive Software (the company that provides
> these forums for opensymphony) and we use the ! method syntax all over the
> place. As an example, when you are replying to this post, note the
> post!reply.jspa url.
>
> As a heavy user of webwork, I must say that I have to agree with Patrick
> in this case. Our xml config file is already enormous and having to
> duplicate definitions for different methods of the same action would be a
> real mess. I don't really care about what is set as the "default", but I
> would really hate to see the ! syntax go away.
>
> Nick
> ---------------------------------------------------------------------
> Posted via Jive Forums
>
> http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82476#82476
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Nick Hill <fo...@opensymphony.com>.
I am one of the engineers at Jive Software (the company that provides these forums for opensymphony) and we use the ! method syntax all over the place. As an example, when you are replying to this post, note the post!reply.jspa url.
As a heavy user of webwork, I must say that I have to agree with Patrick in this case. Our xml config file is already enormous and having to duplicate definitions for different methods of the same action would be a real mess. I don't really care about what is set as the "default", but I would really hate to see the ! syntax go away.
Nick
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82476#82476
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> I'm not 100% sure how that one works... does it
> depend on "!" somehow? I've been stuck on an older
> release of WebWork for a while...
foo!bar.action is the same thing as foo.action?method:bar=whatever
It is defined in DefaultActionMapper.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82487#82487
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
>
> Christ - I have proposed things, many times. Why are
> the words "annotations" and "convention" being
> ignored by everyone. Let's try one more time.
>
> 1) Convention-based protection: only allow methods of
> the form "String doXxx()" to be called via the
> request.
> 2) Annotation-based protection: only allow methods
> that are annotated with @Public to be called via the
> request.
>
> I'm implementing #2 right now.
>
And I'm all for those (or similar ideas). I think everyone is for those, or at least one or the other. The problem is for the current release. The one where people don't want to wait for those new features. The "!" syntax is still in that one, and the question is whether it should be on or off by default. I say off.
>
> While I added much of it, parts were added by others.
> For example, the support for <ww:submit
> method="cancel"/> was added by Bob Lee. This is a
> great way to allow for cancel buttons without having
> to use javascript to change the form target. This
> would be impossible to do if multiple entry points
> per action were turned off.
I'm not 100% sure how that one works... does it depend on "!" somehow? I've been stuck on an older release of WebWork for a while...
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82484#82484
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> Following up to myself: I want to also make it
> clear
> > that I'm not opposed to changing my way of doing
> > things, but so far I haven't seen anything that
> seems
> > any better than what I'm doing now. I'm happy to
> > explain more about how the ! syntax is used with
> all
> > my forms, so that alternative approaches can be
> > proposed to me.
>
> Well, how about a proposal for something that does
> what you want but meets people's security concerns?
Christ - I have proposed things, many times. Why are the words "annotations" and "convention" being ignored by everyone. Let's try one more time.
1) Convention-based protection: only allow methods of the form "String doXxx()" to be called via the request.
2) Annotation-based protection: only allow methods that are annotated with @Public to be called via the request.
I'm implementing #2 right now.
> >
> > However, the introduction of doInput() in
> > ActionSupport, the fact that the
> > DefaultWorkflowInterceptor and
> ValidationInterceptors
> > are configured to ingore the "input" method in
> > webwork-default.xml, and the pattern being used
> all
> > over the place in the Showcase should be enough
> > evidence that this pattern has been one that has
> been
> > quietly pushed forward for a long time to WebWork
> > users. So it's not just that I personally use this
> > style - the framework itself has been designed to
> > accommodate this style. If we're going to remove
> !,
> > we need to be ready to also change other parts of
> the
> > framework to recommend the new approach.
>
> Umm... but didn't you add a lot of that? And the
> Showcase just copied what it found already. That's
> not proving it's a good way of doing things. There
> are lots of places in the code where changes have
> been made to accomodate the "!" notation, usually to
> the detriment of the codebase and leading to
> unexpected bugs later.
While I added much of it, parts were added by others. For example, the support for <ww:submit method="cancel"/> was added by Bob Lee. This is a great way to allow for cancel buttons without having to use javascript to change the form target. This would be impossible to do if multiple entry points per action were turned off.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82479#82479
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
>
> Following up to myself: I want to also make it clear
> that I'm not opposed to changing my way of doing
> things, but so far I haven't seen anything that seems
> any better than what I'm doing now. I'm happy to
> explain more about how the ! syntax is used with all
> my forms, so that alternative approaches can be
> proposed to me.
Well, how about a proposal for something that does what you want but meets people's security concerns?
>
> However, the introduction of doInput() in
> ActionSupport, the fact that the
> DefaultWorkflowInterceptor and ValidationInterceptors
> are configured to ingore the "input" method in
> webwork-default.xml, and the pattern being used all
> over the place in the Showcase should be enough
> evidence that this pattern has been one that has been
> quietly pushed forward for a long time to WebWork
> users. So it's not just that I personally use this
> style - the framework itself has been designed to
> accommodate this style. If we're going to remove !,
> we need to be ready to also change other parts of the
> framework to recommend the new approach.
Umm... but didn't you add a lot of that? And the Showcase just copied what it found already. That's not proving it's a good way of doing things. There are lots of places in the code where changes have been made to accomodate the "!" notation, usually to the detriment of the codebase and leading to unexpected bugs later.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82430#82430
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> I need everyone to understand this: the goal should
> be for us (the project leaders) to agree on a style
> of development using Struts that we can all feel
> comfortable recommending as the default starting
> point. For example, I think the default starting
> point should be on that encourages limited
> interceptor stacks (relying on stack logic
> flags/conventions instead). I also think that ! is a
> very common technique and want to encourage it, or
> something like it.
Following up to myself: I want to also make it clear that I'm not opposed to changing my way of doing things, but so far I haven't seen anything that seems any better than what I'm doing now. I'm happy to explain more about how the ! syntax is used with all my forms, so that alternative approaches can be proposed to me.
However, the introduction of doInput() in ActionSupport, the fact that the DefaultWorkflowInterceptor and ValidationInterceptors are configured to ingore the "input" method in webwork-default.xml, and the pattern being used all over the place in the Showcase should be enough evidence that this pattern has been one that has been quietly pushed forward for a long time to WebWork users. So it's not just that I personally use this style - the framework itself has been designed to accommodate this style. If we're going to remove !, we need to be ready to also change other parts of the framework to recommend the new approach.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82287#82287
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> > First off: we're *not* deprecating and removing the
> !
> > notation at this point. That is what this
> discussion
> > is entirely about.
>
> Not YET... that's what the conversation was about as
> I read it... when, not if.
It's not a "when" to me - it's an "if" and a "why" type of discussion. I really should just go and revert the previous changes that turned it off by default, since they were done without any consent on my end.
> > Why not disable getters and setters by default too
> > and require people pull out the request parameters
> by
> > hand until they switch the security flag?
> Obviously
> > because it makes no sense. It is core to working
> with
> > actions. And I'm here to argue fervidly that the
> > pattern of URLs like "create!input" is way too
> common
> > in my applications to just turn off by default
> > without some longer discussion. My goal is to make
> > sure that the leaders of Struts have their styles
> of
> > web development represented in a common set of
> > defaults - it would be a big mistake for Struts and
> a
> > big loss to the community if I went off with my
> own
> > ActionMapper and never looked back.
> >
>
> Turning off property setting is a spurious argument.
> It's the most common thing people want to do. The "!"
> notation was always an advanced feature (hack). For
> my style of development, the flag will be turned off
> to make sure no-one's trying to use it.
And I'm saying that it's not a hack nor an advanced thing. I literally use it for _every_ form. It's a very common thing, which leads me to...
> > I've put forward alternatives, such as a
> convention
> > (doXxx) or annotation (@ActionMethod) to indicate
> > that methods can be called. But I'm currently very
> > far from convinced that turning off that switch by
> > default is a good idea at all. I'd like for Ted to
> > respond to my proposed alternatives.
>
> So if you know the setting is there and you can turn
> it on, even if it's off by default, then where's the
> harm? We're just saying that for the new user, who
> isn't familiar with the "!" notation, they don't get
> surprised when someone can hit any method on their
> action using the "!" notation.
You're missing my entire point, so I'll repeat it again:
> My goal is to make
> sure that the leaders of Struts have their styles of
> web development represented in a common set of
> defaults - it would be a big mistake for Struts and a
> big loss to the community if I went off with my own
> ActionMapper and never looked back.
I need everyone to understand this: the goal should be for us (the project leaders) to agree on a style of development using Struts that we can all feel comfortable recommending as the default starting point. For example, I think the default starting point should be on that encourages limited interceptor stacks (relying on stack logic flags/conventions instead). I also think that ! is a very common technique and want to encourage it, or something like it.
IMPORTANT: If we can't agree on a default starting point for all users, there is absolutely no way we'll have even close to the success of something like Rails (which is clearly the goal of the original Struts Ti proposal).
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82285#82285
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
>
> First off: we're *not* deprecating and removing the !
> notation at this point. That is what this discussion
> is entirely about.
Not YET... that's what the conversation was about as I read it... when, not if.
>
> Why not disable getters and setters by default too
> and require people pull out the request parameters by
> hand until they switch the security flag? Obviously
> because it makes no sense. It is core to working with
> actions. And I'm here to argue fervidly that the
> pattern of URLs like "create!input" is way too common
> in my applications to just turn off by default
> without some longer discussion. My goal is to make
> sure that the leaders of Struts have their styles of
> web development represented in a common set of
> defaults - it would be a big mistake for Struts and a
> big loss to the community if I went off with my own
> ActionMapper and never looked back.
>
Turning off property setting is a spurious argument. It's the most common thing people want to do. The "!" notation was always an advanced feature (hack). For my style of development, the flag will be turned off to make sure no-one's trying to use it.
> I've put forward alternatives, such as a convention
> (doXxx) or annotation (@ActionMethod) to indicate
> that methods can be called. But I'm currently very
> far from convinced that turning off that switch by
> default is a good idea at all. I'd like for Ted to
> respond to my proposed alternatives.
So if you know the setting is there and you can turn it on, even if it's off by default, then where's the harm? We're just saying that for the new user, who isn't familiar with the "!" notation, they don't get surprised when someone can hit any method on their action using the "!" notation.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82264#82264
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
> > I guess why I don't like this mentality is that we
> > have these kinds of security holes all over the
> > place. If you expose getters or setters that are
> > unsafe in your action or _any_ of your model
> objects,
> > you can get that problem. The fact is that with
> > dynamic reflection that is controlled by URL
> > requests/params, you should consider anything
> > remotely close to the Action or its object graph
> to
> > be considered unsafe until you've explicitly added
> > your own security layer.
> >
> > To simply add this switch and give the impression
> > that it is now safe would be very misleading.
> >
>
> While I see your point that this one flag won't make
> everything 100% secure, at least with getters and
> setters, you know that's what they're designed to do.
> You can also control the setting of properties from
> the request params via the interceptor stack,
> including filtering out params you don't want set.
> You can't (currently) control the "!" notation and
> what methods it can call.
>
> I'd say we need to group a bunch of security-related
> settings in the config and let people choose, but I'd
> agree with Ted that the more secure option should be
> the default, especially if we're talking about
> deprecating and removing the "!" notation in the
> future.
First off: we're *not* deprecating and removing the ! notation at this point. That is what this discussion is entirely about.
Why not disable getters and setters by default too and require people pull out the request parameters by hand until they switch the security flag? Obviously because it makes no sense. It is core to working with actions. And I'm here to argue fervidly that the pattern of URLs like "create!input" is way too common in my applications to just turn off by default without some longer discussion. My goal is to make sure that the leaders of Struts have their styles of web development represented in a common set of defaults - it would be a big mistake for Struts and a big loss to the community if I went off with my own ActionMapper and never looked back.
I've put forward alternatives, such as a convention (doXxx) or annotation (@ActionMethod) to indicate that methods can be called. But I'm currently very far from convinced that turning off that switch by default is a good idea at all. I'd like for Ted to respond to my proposed alternatives.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82257#82257
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
> I guess why I don't like this mentality is that we
> have these kinds of security holes all over the
> place. If you expose getters or setters that are
> unsafe in your action or _any_ of your model objects,
> you can get that problem. The fact is that with
> dynamic reflection that is controlled by URL
> requests/params, you should consider anything
> remotely close to the Action or its object graph to
> be considered unsafe until you've explicitly added
> your own security layer.
>
> To simply add this switch and give the impression
> that it is now safe would be very misleading.
>
While I see your point that this one flag won't make everything 100% secure, at least with getters and setters, you know that's what they're designed to do. You can also control the setting of properties from the request params via the interceptor stack, including filtering out params you don't want set. You can't (currently) control the "!" notation and what methods it can call.
I'd say we need to group a bunch of security-related settings in the config and let people choose, but I'd agree with Ted that the more secure option should be the default, especially if we're talking about deprecating and removing the "!" notation in the future.
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82233#82233
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
I guess why I don't like this mentality is that we have these kinds of security holes all over the place. If you expose getters or setters that are unsafe in your action or _any_ of your model objects, you can get that problem. The fact is that with dynamic reflection that is controlled by URL requests/params, you should consider anything remotely close to the Action or its object graph to be considered unsafe until you've explicitly added your own security layer.
To simply add this switch and give the impression that it is now safe would be very misleading.
> On 8/21/06, Patrick Lightbody
> <fo...@opensymphony.com> wrote:
> > OK, that all sounds good. My only request would be
> then: can we un-deprecate the !
> >syntax and keep it on (by default), while still
> giving the option to
> turn it off and perhaps set
> > up a "Security conscience" page on the wiki that
> catalogs all these switches?
>
> I'd rather not get into the habit of treating
> security as an option
> that people can enable as an afterthought :)
>
> I'm fine with tabling the notion of deprecation for
> now, but people
> who want to use this syntax should have to make that
> choice by adding
> the "" switch to the struts.properties file.
>
> The key reason it is a security issue is because
> people don' t think
> about the consequences of a client being able to call
> any no-argument
> public method on any object that is serving as an
> Action, including
> all the super classes of that object. Since Actions
> can be POJOs now,
> it's very important that we lock these issues down,
> and open up the
> functionality only when someone makes that choice.
>
> Since teams migrating from WebWork will have to make
> other changes,
> this is the ideal time to introduce the switch, so
> that it just one
> other thing to do.
>
> -Ted.
>
>
>
> >
> > > On 8/21/06, Patrick Lightbody
> > > <fo...@opensymphony.com> wrote:
> > > > Sure, I agree with all of that. And I've said
> I'm
> > > opening to nailing this down more with
> > > > conventions and/or annotations. I'm even open
> to a
> > > switch to turn it off.
> > >
> > > Which is where we are, right now, today.
> > >
> > >
> > > >So let's dig deep and get to a consensus on what
> we
> > > think the "right"
> > > way to recommend
> > > >working with Struts is.
> > >
> > > I'm all for that (or at least the right ways),
> and I
> > > think we all
> > > would agree that the switch isn't going to be
> removed
> > > unless we are
> > > all happy with whatever alternatives we find.
> > >
> > > As PMC members, we each have the unilateral right
> to
> > > veto a change to
> > > the codebase on technical grounds. If
> alternatives
> > > can't accomplish
> > > what the bang can accomplish, without bloating or
> > > obfuscating the
> > > configuration, then I think everyone would agree
> that
> > > would be a
> > > technical ground. (Or at least one of us would:
> if
> > > the technical
> > > ground isn't obvious, all you need is a second.)
> > >
> > > In my own mind, I never thought we'd remove the
> > > switch before "phase
> > > 2", when there might be other breaks in backward
> > > compatiblity.
> > >
> > > Right now, the last thing I want to do is
> > > disenfranchise the WebWork
> > > community, because I want guys like Rainer over
> here
> > > helping me push
> > > out Struts 2.0.x releases. :)
> > >
> > > -Ted.
> > >
> > >
> ------------------------------------------------------
> > > ---------------
> > > To unsubscribe, e-mail:
> > > dev-unsubscribe@struts.apache.org
> > > For additional commands, e-mail:
> > > dev-help@struts.apache.org
> > >
> > >
> >
> ------------------------------------------------------
> ---------------
> > Posted via Jive Forums
> >
> http://forums.opensymphony.com/thread.jspa?threadID=40
> 932&messageID=81550#81550
> >
> >
> >
> ------------------------------------------------------
> ---------------
> > To unsubscribe, e-mail:
> dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> dev-help@struts.apache.org
> >
> >
>
>
> --
> HTH, Ted.
> * http://www.husted.com/struts/
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> dev-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81572#81572
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/21/06, Patrick Lightbody <fo...@opensymphony.com> wrote:
> OK, that all sounds good. My only request would be then: can we un-deprecate the !
>syntax and keep it on (by default), while still giving the option to
turn it off and perhaps set
> up a "Security conscience" page on the wiki that catalogs all these switches?
I'd rather not get into the habit of treating security as an option
that people can enable as an afterthought :)
I'm fine with tabling the notion of deprecation for now, but people
who want to use this syntax should have to make that choice by adding
the "" switch to the struts.properties file.
The key reason it is a security issue is because people don' t think
about the consequences of a client being able to call any no-argument
public method on any object that is serving as an Action, including
all the super classes of that object. Since Actions can be POJOs now,
it's very important that we lock these issues down, and open up the
functionality only when someone makes that choice.
Since teams migrating from WebWork will have to make other changes,
this is the ideal time to introduce the switch, so that it just one
other thing to do.
-Ted.
>
> > On 8/21/06, Patrick Lightbody
> > <fo...@opensymphony.com> wrote:
> > > Sure, I agree with all of that. And I've said I'm
> > opening to nailing this down more with
> > > conventions and/or annotations. I'm even open to a
> > switch to turn it off.
> >
> > Which is where we are, right now, today.
> >
> >
> > >So let's dig deep and get to a consensus on what we
> > think the "right"
> > way to recommend
> > >working with Struts is.
> >
> > I'm all for that (or at least the right ways), and I
> > think we all
> > would agree that the switch isn't going to be removed
> > unless we are
> > all happy with whatever alternatives we find.
> >
> > As PMC members, we each have the unilateral right to
> > veto a change to
> > the codebase on technical grounds. If alternatives
> > can't accomplish
> > what the bang can accomplish, without bloating or
> > obfuscating the
> > configuration, then I think everyone would agree that
> > would be a
> > technical ground. (Or at least one of us would: if
> > the technical
> > ground isn't obvious, all you need is a second.)
> >
> > In my own mind, I never thought we'd remove the
> > switch before "phase
> > 2", when there might be other breaks in backward
> > compatiblity.
> >
> > Right now, the last thing I want to do is
> > disenfranchise the WebWork
> > community, because I want guys like Rainer over here
> > helping me push
> > out Struts 2.0.x releases. :)
> >
> > -Ted.
> >
> > ------------------------------------------------------
> > ---------------
> > To unsubscribe, e-mail:
> > dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail:
> > dev-help@struts.apache.org
> >
> >
> ---------------------------------------------------------------------
> Posted via Jive Forums
> http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81550#81550
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
--
HTH, Ted.
* http://www.husted.com/struts/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
OK, that all sounds good. My only request would be then: can we un-deprecate the ! syntax and keep it on (by default), while still giving the option to turn it off and perhaps set up a "Security conscience" page on the wiki that catalogs all these switches?
> On 8/21/06, Patrick Lightbody
> <fo...@opensymphony.com> wrote:
> > Sure, I agree with all of that. And I've said I'm
> opening to nailing this down more with
> > conventions and/or annotations. I'm even open to a
> switch to turn it off.
>
> Which is where we are, right now, today.
>
>
> >So let's dig deep and get to a consensus on what we
> think the "right"
> way to recommend
> >working with Struts is.
>
> I'm all for that (or at least the right ways), and I
> think we all
> would agree that the switch isn't going to be removed
> unless we are
> all happy with whatever alternatives we find.
>
> As PMC members, we each have the unilateral right to
> veto a change to
> the codebase on technical grounds. If alternatives
> can't accomplish
> what the bang can accomplish, without bloating or
> obfuscating the
> configuration, then I think everyone would agree that
> would be a
> technical ground. (Or at least one of us would: if
> the technical
> ground isn't obvious, all you need is a second.)
>
> In my own mind, I never thought we'd remove the
> switch before "phase
> 2", when there might be other breaks in backward
> compatiblity.
>
> Right now, the last thing I want to do is
> disenfranchise the WebWork
> community, because I want guys like Rainer over here
> helping me push
> out Struts 2.0.x releases. :)
>
> -Ted.
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> dev-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81550#81550
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/21/06, Patrick Lightbody <fo...@opensymphony.com> wrote:
> Sure, I agree with all of that. And I've said I'm opening to nailing this down more with
> conventions and/or annotations. I'm even open to a switch to turn it off.
Which is where we are, right now, today.
>So let's dig deep and get to a consensus on what we think the "right"
way to recommend
>working with Struts is.
I'm all for that (or at least the right ways), and I think we all
would agree that the switch isn't going to be removed unless we are
all happy with whatever alternatives we find.
As PMC members, we each have the unilateral right to veto a change to
the codebase on technical grounds. If alternatives can't accomplish
what the bang can accomplish, without bloating or obfuscating the
configuration, then I think everyone would agree that would be a
technical ground. (Or at least one of us would: if the technical
ground isn't obvious, all you need is a second.)
In my own mind, I never thought we'd remove the switch before "phase
2", when there might be other breaks in backward compatiblity.
Right now, the last thing I want to do is disenfranchise the WebWork
community, because I want guys like Rainer over here helping me push
out Struts 2.0.x releases. :)
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Patrick Lightbody <fo...@opensymphony.com>.
Sure, I agree with all of that. And I've said I'm opening to nailing this down more with conventions and/or annotations. I'm even open to a switch to turn it off.
What I'm not open to is just removing/deprecating it entirely without addressing the fact that it is _widely_ used in a ton of applications and, at least in my case, I continue to use it as I find it very useful and not a security risk one bit. Removing it would really cause issues for me, so I want us to explore other ways to address the security aspect besides just taking it out by default.
The reason this is so important to me is that we, the Struts development team, need to, as responsible leaders for the Struts community, do our best to all try to recommend the same style of web development to the users. If I'm off using ! syntax and the ActionMapper from Able, and Jason has a technique that involves 4 or 5 interceptor stacks, and Don is using a single stack but 100% wildcards, we're sending a bad message to the community. So let's dig deep and get to a consensus on what we think the "right" way to recommend working with Struts is.
> On 8/21/06, Don Brown <do...@gmail.com> wrote:
> > I know that the overriding concern is "security".
>
> Here's the thing. Regardless of what we think, there
> are independant
> security organizations that review security issues
> for high profile
> frameworks. If we don't control the bang with a
> switch that defaults
> to off, we are liable to get pinged for this. Struts
> 1 was pinged for
> the way we handled "cancel", and we had to come up
> with a fix. I doubt
> that trying to explain away a security risk by saying
> "Altassian
> doesn't think it's a problem" is going to result in
> the security alert
> being lowered. There is a also a fundamental ASF
> principle that
> "Security is a mandatory feature."
>
> Regardless of whether we end up saying using the !
> alias is
> acceptable, or even preferred, we should retain the
> switch that turns
> it on, so that teams make an informed decision as to
> its use.
>
> -Ted.
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> dev-unsubscribe@struts.apache.org
> For additional commands, e-mail:
> dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=81539#81539
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/21/06, Don Brown <do...@gmail.com> wrote:
> I know that the overriding concern is "security".
Here's the thing. Regardless of what we think, there are independant
security organizations that review security issues for high profile
frameworks. If we don't control the bang with a switch that defaults
to off, we are liable to get pinged for this. Struts 1 was pinged for
the way we handled "cancel", and we had to come up with a fix. I doubt
that trying to explain away a security risk by saying "Altassian
doesn't think it's a problem" is going to result in the security alert
being lowered. There is a also a fundamental ASF principle that
"Security is a mandatory feature."
Regardless of whether we end up saying using the ! alias is
acceptable, or even preferred, we should retain the switch that turns
it on, so that teams make an informed decision as to its use.
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Ted Husted <hu...@apache.org>.
On 8/21/06, Don Brown <do...@gmail.com> wrote:
>I think we should remove the method and namespace attributes
> on the tags and elevate the status of the URL in Struts 2.
/s/Struts 2/Struts 3/
For Struts 2, I think we should go with pretty much what we got.
All of these ideas are both interesting and useful, but I'd like to
see them proven in some of our own applications first. I know Patrick
has found Able useful, and if the rest of us find it useful in our own
applications, then it could be the starting point for "phase 2".
But, from the beginning, we agreed that Struts 2 would be based on the
proven foundation of WebWork 2, and the "next generation" of web
application development would be a second phase (Struts 3).
Now, before any one brings up marketing or "user acceptance" or
bringing out too many versions too soon: I don't care about any of
that. I care about creating the web application framework that I want
to use with my own applications. Right now. Today.
I come here because the web application framework that I want to use
is more than I can write on my own. Right now, today, a lot of the
people that could help with Struts 2 are still working on WebWork
2.2.x. I don't want to go off on any tangents that are going to tempt
those people away from working on Struts 2. We need to get Struts 2
out the door now, so that we can complete the merger of our
communities, and consolidate our resources.
I am onboard for the navel-gazing, and I'm onboard for creating a
next-generation web application framework that combines scalability
with ease of use, but we should target the real changes for Struts
Next, not Struts Now.
-Ted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Bob Lee <cr...@crazybob.org>.
On 8/24/06, Jason Carreira <fo...@opensymphony.com> wrote:
>
> I disagree here because the URL mapping is more likely to change than the
> namespace / actionName mapping. Consider if you leave the namespace empty
> and just give an action name, it will assume the same namespace. Now if you
> change the namespace for a package of actions, that link still works, but
> the hardcoded URL one doesn't. Plus, if people are going to be switching to
> a more RESTful action mapping, URL links will all break, but namespace /
> actionName links won't.
I agree. Plus, specifiying an action name and namespace makes my code
cleaner than constructing a URL manually. I personally don't care what the
URL looks like for the most part.
Bob
Re: [s2] Action ! Method syntax (was Freemarker transform name)
Posted by Jason Carreira <fo...@opensymphony.com>.
> Ok, this issue breaks down like this in my mind:
> 1. Should our tags (url, form, etc) have attributes
> for the
> amespace, action, and method, or just have one for
> the url?
> 2. Should our default ActionMapper allow the method
> to be specified in the url?
> Issue #1 goes back to the more fundamental issue of
> whether Struts 2
> is a _web_ framework that treats URLs as king or a
> more general app
> framework that hides the URL from the developer.
> Personally, I think
> truts 2 should be centered around the concept of the
> URL and not be
> hidden. Even in the case of portlets, the concept of
> a identifying
> string for the controller is important. If you want
> the framework
> hide the HTTP and HTML from you, JSF or Wicket might
> be a better
> framework than Struts.
>
I disagree here because the URL mapping is more likely to change than the namespace / actionName mapping. Consider if you leave the namespace empty and just give an action name, it will assume the same namespace. Now if you change the namespace for a package of actions, that link still works, but the hardcoded URL one doesn't. Plus, if people are going to be switching to a more RESTful action mapping, URL links will all break, but namespace / actionName links won't.
Jason
---------------------------------------------------------------------
Posted via Jive Forums
http://forums.opensymphony.com/thread.jspa?threadID=40932&messageID=82232#82232
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org