Am 23.09.2013 20:32, schrieb Lukasz Lenart:
2013/9/23 Paweł Wielgus :
Hi all,
I'm using DMI to call "input" method extensively,
almost in every Edit*Action.
I call it with ParamsPrepareParams stack.
I fully understand that allowing DMI is a security problem.
But maybe some kind of balance could
2013/9/24 Paweł Wielgus :
> One more side note,
> if i understand it wright,
> in my case (Edit input and execute methods)
> wildcard mapping would be better from framework perspective
> but it needs to be wriitten in xml configuration.
>
> Whereas DMI do not require me to write any xml,
> but is n
One more side note,
if i understand it wright,
in my case (Edit input and execute methods)
wildcard mapping would be better from framework perspective
but it needs to be wriitten in xml configuration.
Whereas DMI do not require me to write any xml,
but is not first class citizen in terms of framew
Hi Lukasz,
i see no problem for me in solution described by You.
Off course i'm no security expert here.
Best greetings,
Paweł Wielgus.
2013/9/23 Lukasz Lenart :
> 2013/9/23 Paweł Wielgus :
>> Hi all,
>> I'm using DMI to call "input" method extensively,
>> almost in every Edit*Action.
>> I call
2013/9/23 Volker Krebs :
> Am 23.09.2013 11:05, schrieb Christoph Nenning:
>>>
>>>
>>> Just a hint: DMI can be dangerous and we think about removing it.
>>>
>> That would force us to do heavy refactorings in all our applications.
>
>
> Removing DMI completely would break a lot of applications.
> Ho
2013/9/23 Paweł Wielgus :
> Hi all,
> I'm using DMI to call "input" method extensively,
> almost in every Edit*Action.
> I call it with ParamsPrepareParams stack.
>
> I fully understand that allowing DMI is a security problem.
> But maybe some kind of balance could be achevied.
> White listing with
Hi,
Yes, we know already :\ I'm working on a new solution, should be ready
next week.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/9/23 Emi Lu :
> Good morning,
>
> Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
>
>
> (1) jsp:
> name= "loginForm"
>name
Hi all,
I'm using DMI to call "input" method extensively,
almost in every Edit*Action.
I call it with ParamsPrepareParams stack.
I fully understand that allowing DMI is a security problem.
But maybe some kind of balance could be achevied.
White listing with annotations would not be bad for me
also
On 09/23/2013 10:38 AM, Volker Krebs wrote:
Am 23.09.2013 16:23, schrieb Emi Lu:
Good morning,
Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
(1) jsp:
--- never call
loginProcessLoginAction
(2) struts.xml
main_menu
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
Am 23.09.2013 16:23, schrieb Emi Lu:
Good morning,
Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
(1) jsp:
--- never call
loginProcessLoginAction
(2) struts.xml
main_menu
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
(3) ProcessLoginAction.java
public St
Good morning,
Upgraded from 2.3.15.1 to 15.2, but "s:submit" problem:
(1) jsp:
action="loginProcessLoginAction" /> --- never call
loginProcessLoginAction
(2) struts.xml
main_menu
/WEB-INF/pages/errorinfo/ajax_error_check.jsp
(3) ProcessLoginAction.java
publi
Am 23.09.2013 11:05, schrieb Christoph Nenning:
Just a hint: DMI can be dangerous and we think about removing it.
That would force us to do heavy refactorings in all our applications.
Removing DMI completely would break a lot of applications.
How about white-listing methods ?
At the moment
>
> Just a hint: DMI can be dangerous and we think about removing it.
>
That would force us to do heavy refactorings in all our applications.
This Email was scanned by Sophos Anti Virus
Just a hint: DMI can be dangerous and we think about removing it.
2013/9/23 Christoph Nenning :
> It seems a little late to join this discussion, but anyway here is what I
> think.
>
>
> Per default the framework shows validation errors for simple GET requests.
>
> The easiest way to work around t
It seems a little late to join this discussion, but anyway here is what I
think.
Per default the framework shows validation errors for simple GET requests.
The easiest way to work around that is to add "!input" to the url, like
this:
login!input.action
You can bookmark that and generate link
"You cannot forward to actions"
Thanks, that was the idea that was missing from my understanding.
Got it working the way I wanted in a minute :)
Many thanks - appreciated :)
Serdyn du Toit
On Mon, Sep 23, 2013 at 8:47 AM, Lukasz Lenart wrote:
> 2013/9/22 Serdyn du Toit :
> > What I have now
16 matches
Mail list logo
