struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yasserzamani <...@git.apache.org>
Subject [GitHub] struts issue #133: WW-4105 Considers config time class in actions chain
Date Sun, 23 Apr 2017 16:40:55 GMT
Github user yasserzamani commented on the issue:

    https://github.com/apache/struts/pull/133
  
    > Remember that issue that you've submitted to security list? All actions are affected.
With this proposal bean attribute must be added to every action configuration in the application.
    
    If this proposal was made user forced to use `bean` attribute for every action, I myself
was first person who rejects it. If you think so, then you are right to be worry.
    
    Yes I remember the issue which I submitted to security list. Maybe I misunderstood something
but let count it:
    
    1. When action is not a bean, is not proxied, e.g. `<action class=me.yz.Action1"`:
Then `objectfactory.getInstanceClass(actionCondif.getClassName())` returns `me.yz.Action1`
and my proposal behaves as current S2.
    2. When action is not a bean, but is proxied, e.g. `<action class=me.yz.Action1"` and
`<aop:pointcut id=actionExecute expression=execution(String me.yz.Action1.execute())`:
Same as (1) `objectfactory.getInstanceClass(actionCondif.getClassName())` returns `me.yz.Action1`
and my proposal behaves as current S2.
    3. When action is a bean, but is not proxied, e.g. `<action class=myAction1"` and `<bean
name=myAction1 class=me.yz.Action1`:  Same as (1) `objectfactory.getInstanceClass(actionCondif.getClassName())`
returns `me.yz.Action1` and  my proposal behaves as current S2.
    4. AND When action is a bean, and is proxied, e.g. `<action class=myAction1"` and `<bean
name=myAction1 class=me.yz.Action1` and `<aop:pointcut id=actionExecute expression=execution(String
me.yz.Action1.execute())`: Here `objectfactory.getInstanceClass(actionCondif.getClassName())`
returns something different than `me.yz.Action1` and my proposal warns user that runtime and
config time class of the action are not same and recommends the usage of `bean` attribute
i.e. rewrite config to `<action class=me.yz.Action1 bean=myAction1"`.
    
    So only number 4 needs protection and does not fail on not usage of `bean` and just warns
a log. Did I missed something?
    
    Thanks for your time!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message