struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Germuska <>
Subject Re: DispatchChainAction (Struts 1.3)
Date Tue, 28 Dec 2004 14:01:36 GMT
At 1:55 PM -0500 12/21/04, Benedict, Paul C wrote:
>I noticed in Struts 1.3 there is a DispatchChainAction, and the parameter
>attribute specifies the name of the chain to execute. Would somebody
>consider that a security hole? It seems like anyone could arbitrarily
>execute any chain command in the entire Struts app if they knew it -- unlike
>a normal DispatchAction whose parameter is only relevant for that Action
>Also, I hope there will be a MappingDispatchChainAction too. The
>MappingDispatchAction is, in my opinion, the absolute best feature of Struts
>1.2 and secures the internals of the app better (i.e., not exposing method
>names to the world). However, it seems that it would be impossible to
>implement (currently) since the parameter attribute is already in use for
>the chain command.

I just got back from a few days away.  In all the mail, I may have 
missed further discussion on this -- in fact, I kind of thought I'd 
replied to it before!

I think the dispatch chain action is flawed now that it takes two 
values to really look up a command to execute (the command name and 
the chain name).  I think it would make sense to derive a single 
string syntax which joins these two values, but that doesn't solve 
the security problem in any way.

I also think the base DispatchAction should not be furthered; 
instead, we should simply add a chain command which reads 
catalog/command values from the ActionMapping and does the same work. 
I'll bring this up on the dev list soon.

I agree that it would be nice to have some internal method dispatch 
in a command.  We use that style extensively at my day job.  I wonder 
if it's worth adding support for that in the chain package itself?


Joe Germuska       
"Narrow minds are weapons made for mass destruction"  -The Ex

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message