struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: [VOTE] [FAST TRACK] Struts
Date Wed, 16 Oct 2013 14:38:03 GMT
2013/10/16  <>:
> Thanks Lukasz.
> This is not a vote, but additional questions.
>> After upgrading to Struts, applications using the "action:" will stop working.
> We still want the "action:" works if possible, so we have added
> * struts.mapper.action.prefix.enabled
> * struts.mapper.action.prefix.crossNamespaces
> into (or struts.xml) and set their value true as suggested as "Backward
> But "action:" did not seem to work under environment against our expectation.
> (Not 404 error like, but transit to the same page.)
> (Q1) Are those additional constants effective as mentioned in new S2-018?
> (Q2) Assume that the backward compatibility works, can we expect that applying
with setting the additional constants true is still valuable as a solution to the problem
"Broken Access Control Vulnerability" targeted in S2-018?

Are you sure? I have just tested (again) with struts2-blank and it
works as expected. You must have some strange configuration.

    <constant name="struts.mapper.action.prefix.enabled" value="true"/>
    <constant name="struts.mapper.action.prefix.crossNamespaces" value="true"/>

And I suggest to leave "struts.mapper.action.prefix.crossNamespaces" disabled.

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message