struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: About S2-019, is it safe to re-enable DMI ?
Date Wed, 25 Sep 2013 09:51:06 GMT
2013/9/25 Eric Chatellier <>:
> Hi
> Just after updating struts to, all of ours applications stop working.
> Some of ours applications uses struts-convention-plugin, so only
> url can be used to acces action's methods.
> We are using a lot of url with "!input" methods, especially to manage
> form input and form validation.
> "S2-019 - Dynamic Method Invocation disabled by default", seems to be a big
> security issue.
> So, is it safe to re-enable back DMI to true ?
> If not, how is it possible to not use DMI ?

It isn't if you know what you doing - a small example:
login!getPassword ;-) You can also switch to Strict DMI but only via
XML - I'm working on solution to have it also for annotations.

And in the future I'm planning to have only Strict DMI which means
white-listing which actions/methods can be access via DMI

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message