struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Regarding latest struts 2.3.x changes and issues with DMI and Wildcards
Date Wed, 29 Jan 2014 20:18:54 GMT
2014-01-29 Manuel López Blasi <lopezblasi@conicet.gov.ar>:
> 1) Having the action.prefix enabled there's no intereference in the
> securyity fixes introduced in the last versions, it should be all fully
> working isn't it?
> We have Dynamic Method Invocation disabled.

No, action: prefix can be dangerous but it depends on security model
implemented inside actions and application. I cannot share more on
public mailing list to not disclose security vulnerability.

> 2) Whe a button is clicked so it fires the method specified en the action
> attribute of the s:submit tag it seems that it looks for the method
> "prepareMethod" where Method is the method i specified, it seems that the
> prefix "prepare" is appended. Is there a way to override or disable this
> appending?
> Same goes for the method validate, it is looking for "prepareValidate" , i
> need to get rid of those appendings, since otherwise we would need to make a
> huge refactor of
> method namings in the project.

It is because of prepare interceptor which is included in stack you
are using. Basically prepareXXX is called to prepare action for
execution of desired method.

http://struts.apache.org/release/2.3.x/docs/prepare-interceptor.html


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message