0

Right now we are using Struts 2.5 and I have Dynamic Method Invocation=true in Struts configuration file .

And i have action mappings as below.

<action name="action name" class="action class"
   <result name="view" type="redirectAction"></result>
   <allowed-methods> 
         view,modify,delete,duplicate 
   </allowed-methods>
</action>

To remediate App-sec finding i have to set Dynamic Method Invocation to false.

I have set Dynamic Method Invocation value="false" . Now allowed methods are not working.

I did specify multiple actions with methods, it did not work as well. It is calling default reset and process method from the Action class instead the specified method.

I have read that for allowed-methods to work we have to have Dynamic Method Invocation set to true?

How do i call multiple methods with the same action with disabling Dynamic Method Invocation?

Roman C
  • 49,761
  • 33
  • 66
  • 176
Sailaja
  • 9
  • 1
  • In struts2 each action is mapped to the method of the action class. No need to break this rule. See how to use a special parameter in [this](https://stackoverflow.com/a/23494411/573032) answer. – Roman C Jun 21 '20 at 06:41

1 Answers1

1

If DMI is turned off you cannot invoke methods dynamically; that's the point of turning it off.

You can use Strict Method Invocation to explicitly allow methods; SMI is enabled by default.

You can't have it both ways--DMI is either enabled, or not.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • Thank you Dave for your input. But allowed methods is not working when I turned off DMI. Could you please let me know the necessary changes that I should make in my Struts configuration file in order to have the allowed methods working with SMI. – Sailaja May 30 '20 at 17:21
  • @Sailaja ... Turn on DMI. If DMI is turned off you cannot invoke methods dynamically, that's the point. – Dave Newton May 30 '20 at 20:37