Return-Path: 
 <user-return-215314-apmail-struts-user-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-user-archive@www.apache.org
Delivered-To: apmail-struts-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 9C95410DBC
	for <apmail-struts-user-archive@www.apache.org>;
 Mon, 23 Sep 2013 23:38:31 +0000 (UTC)
Received: (qmail 86727 invoked by uid 500); 23 Sep 2013 23:38:29 -0000
Delivered-To: apmail-struts-user-archive@struts.apache.org
Received: (qmail 86596 invoked by uid 500); 23 Sep 2013 23:38:29 -0000
Mailing-List: contact user-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:user-unsubscribe@struts.apache.org>
List-Help: <mailto:user-help@struts.apache.org>
List-Post: <mailto:user@struts.apache.org>
List-Id: "Struts Users Mailing List" <user.struts.apache.org>
Reply-To: "Struts Users Mailing List" <user@struts.apache.org>
Delivered-To: mailing list user@struts.apache.org
Received: (qmail 86588 invoked by uid 99); 23 Sep 2013 23:38:29 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Sep 2013 23:38:29 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of poulwiel@gmail.com designates
 209.85.215.41 as permitted sender)
Received: from [209.85.215.41] (HELO mail-la0-f41.google.com) (209.85.215.41)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Sep 2013 23:38:24 +0000
Received: by mail-la0-f41.google.com with SMTP id ec20so3033213lab.14
        for <user@struts.apache.org>; Mon, 23 Sep 2013 16:38:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=IDSIJ3bMjz4DBsEBAy+Tu1a+Hol6nV7z5QytWDr2tGw=;
        b=FKgjlnoqZedLCJJkeMcip3ujq+nJGaKoZfF+dZD9yngyLlLcHDs6oEIgpBPdXNo8Xo
         xzHE1+Oa2BEzkmtA+v+fU6S0fVnavxnjn1o9m/scB2386HWBgflT51FG1/SeIixWj2W0
         xwu8m8kckb7/8jgRAlkvxwDcjHWucNVn1XaX1SUJKFz0/et5+GjIlXNhjonLakaRVCij
         eiJd/oVLTmMlG3dSwoDD3EGY5v1glSy5ojEKevoU+MBl1SDmzMu4XOr93WgK3K+3inIv
         qgoIqkB96liM9iUIu8MzDWjI+5OP/SWCKNu8nngG990kgU6RGlYbKf3LqzSXCwLC7Yjs
         EnFw==
MIME-Version: 1.0
X-Received: by 10.152.8.115 with SMTP id q19mr22572342laa.16.1379979483249;
 Mon, 23 Sep 2013 16:38:03 -0700 (PDT)
Received: by 10.112.72.5 with HTTP; Mon, 23 Sep 2013 16:38:03 -0700 (PDT)
In-Reply-To: 
 <CAMopvkM1SR_udBg93SABm1NLnCivFSA+34btn75mhwf8pY6gXA@mail.gmail.com>
References: 
 <CAN25sNKwj5ef0SzqQ5XkRdFMvioCB9T++huw0FV8kEffBi5=NQ@mail.gmail.com>
	<CAMopvkPxxwDfw4cqonx_t5943YYTDzrMab3mYb-jnxGokeaSJA@mail.gmail.com>
	<CAN25sNKRPEpdsez_XbcmP8XifN-s1nUrOT-1bVMi6tQTC6tZfw@mail.gmail.com>
	<CAMopvkMRk00DGBhP6V6W1hGOvw2t7K2G476DzZMXdOASiaY8qA@mail.gmail.com>
	<CAN25sNKzS7SbtkdHZzBhDuWNs65eq4cEK4qApQpw7=O7PYUoKw@mail.gmail.com>
	<OF0C9C80C0.00F8A245-ONC1257BEF.002DB547-C1257BEF.0030195C@lex-com.net>
	<CAMopvkNAsaUxw3Y=hy7Mbw6U7F6O+19b+K4PPPe9ZCV-hxpcMQ@mail.gmail.com>
	<OF0C4D947E.2F0A6BAE-ONC1257BEF.0031E437-C1257BEF.0031F83C@lex-com.net>
	<52404D82.2020202@abas.de>
	<CA+hYk8YAviSTHJRYDA1kGvMKgM_UJEB2x2joZHQ+Pa03xUh7nQ@mail.gmail.com>
	<CAMopvkM1SR_udBg93SABm1NLnCivFSA+34btn75mhwf8pY6gXA@mail.gmail.com>
Date: Tue, 24 Sep 2013 01:38:03 +0200
Message-ID: 
 <CA+hYk8aB_Fyfqm20cNLW+uPB9H+zKi+fOGcJbgY9dO4wPz-Z_A@mail.gmail.com>
Subject: Re: Url rewriting of .action to .jsp
From: =?ISO-8859-2?Q?Pawe=B3_Wielgus?= <poulwiel@gmail.com>
To: Struts Users Mailing List <user@struts.apache.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

Hi Lukasz,
i see no problem for me in solution described by You.
Off course i'm no security expert here.

Best greetings,
Pawe=C5=82 Wielgus.


2013/9/23 Lukasz Lenart <lukaszlenart@apache.org>:
> 2013/9/23 Pawe=C5=82 Wielgus <poulwiel@gmail.com>:
>> Hi all,
>> I'm using DMI to call "input" method extensively,
>> almost in every Edit*Action.
>> I call it with ParamsPrepareParams stack.
>>
>> I fully understand that allowing DMI is a security problem.
>> But maybe some kind of balance could be achevied.
>> White listing with annotations would not be bad for me
>> also maybe letting call only input (or similar) method by default
>> would not cause to much of a security problem?
>>
>> I'm not saying that i will drop S2
>> if DMI will be disabled,
>> but sure it will make me rewrite all my edit actions.
>
> There is "strict dmi" [1] but I doubt that anybody is using it ;-)
> Anyway, doing some improvement in that area is better than removing
> DMI at all ;-)
> Maybe we should switch to strict dmi by default - e.g "execute, input,
> edit, submit, form" are the only allowed methods to be called via DMI.
> And then remove DMI on/off switch at all (DMI will be always enabled).
>
> [1] http://struts.apache.org/release/2.3.x/docs/action-configuration.html=
#ActionConfiguration-DynamicMethodInvocation
>
>
> Regards
> --
> =C5=81ukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org