struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-4918) buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods defined in struts.xml
Date Tue, 13 Feb 2018 11:30:00 GMT

     [ https://issues.apache.org/jira/browse/WW-4918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yasser Zamani updated WW-4918:
------------------------------
    Description: 
I have the following action (slightly edited to remove identifying info):

{code:xml}
<action name="userEdit" class="struts2package.actions.user.UserEditAction">
 <interceptor-ref name="defaultStack">
 <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters and the resetSelectedVersion
parameter-->
 <param name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
 <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
 </interceptor-ref>
 <interceptor-ref name="token">
 <param name="excludeMethods">input,back,refresh,cancel,browse</param>
 </interceptor-ref>
 <interceptor-ref name="struts2ActionErrorInterceptor"/>
 <interceptor-ref name="struts1ErrorMessageInterceptor"/>
 <result name="input">/jsp/user/userEdit.jsp</result>
 <result name="error" type="redirectAction">
 <param name="actionName">displayUserEdit.action</param>
 </result>
 <result name="redirectToUserOverview" type="redirectAction">
 <param name="actionName">userOverviewRetained.action</param>
 <param name="globalInfo">info.transaction_success</param>
 </result>
 <result name="success">/jsp/user/userEdit.jsp</result>
 <result name="back" type="redirect">${backUrl}</result>
 </action>
{code}

And the following global allowed methods:

{code:xml}
<global-allowed-methods>update,execute</global-allowed-methods>
{code}

And these buttons:

 
{code:xml}
<div class="buttonRow">
 <%-- The 'Save' button --%>
 <input value="Save"
 type="submit" class="button" name="method:update" />

<%-- The 'Refresh' button --%>
 <input value="Refresh"
 type="submit" class="button" name="method:refresh"
 id="refreshButton" />

<%-- The 'Back' button --%>
 <input value=Back"
 type="submit" class="button" name="method:back" />
 </div>
{code}
 

As you can see, the update method is defined in the global-allowed-actions list, but the refresh
and back methods aren't. However, what happens is that the update button with the update method
works and updates the user, the refresh action shows the "method is not allowed" error screen
and doesn't update the user(both as expected since update is defined in the allowed methods
and refresh isn't), but the back button DOES actually work even though it's not explicitly
defined in the global-allowed-methods section.

 

I'm trying to understand why out of 2 methods both not defined as allowed-methods, one is
correctly blocked  as "not allowed" while the other is still allowed through. If I add ",refresh"
to the global-allowed-methods and restart tomcat, the refresh button ends up working afterwards
as expected, and the back button stays functional. I don't use the plugin that adds the Allowed
Methods annotation, and this same situation also happens when using s:submits with method="back"
defined, even if there is already a method defined on the action entry in struts.xml.

Update: I have done some more testing, and it appears that another action with similar definition
but a different method (method:delete on an AntDeleteAction) also works without having to
explicitly define delete on the global allowed methods list.

  was:
I have the following action (slightly edited to remove identifying info):

<action name="userEdit" class="struts2package.actions.user.UserEditAction">
 <interceptor-ref name="defaultStack">
 <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters and the resetSelectedVersion
parameter-->
 <param name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
 <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
 </interceptor-ref>
 <interceptor-ref name="token">
 <param name="excludeMethods">input,back,refresh,cancel,browse</param>
 </interceptor-ref>
 <interceptor-ref name="struts2ActionErrorInterceptor"/>
 <interceptor-ref name="struts1ErrorMessageInterceptor"/>
 <result name="input">/jsp/user/userEdit.jsp</result>
 <result name="error" type="redirectAction">
 <param name="actionName">displayUserEdit.action</param>
 </result>
 <result name="redirectToUserOverview" type="redirectAction">
 <param name="actionName">userOverviewRetained.action</param>
 <param name="globalInfo">info.transaction_success</param>
 </result>
 <result name="success">/jsp/user/userEdit.jsp</result>
 <result name="back" type="redirect">${backUrl}</result>
 </action>

And the following global allowed methods:

<global-allowed-methods>update,execute</global-allowed-methods>

And these buttons:

 

<div class="buttonRow">
 <%-- The 'Save' button --%>
 <input value="Save"
 type="submit" class="button" name="method:update" />

<%-- The 'Refresh' button --%>
 <input value="Refresh"
 type="submit" class="button" name="method:refresh"
 id="refreshButton" />

<%-- The 'Back' button --%>
 <input value=Back"
 type="submit" class="button" name="method:back" />
 </div>

 

As you can see, the update method is defined in the global-allowed-actions list, but the refresh
and back methods aren't. However, what happens is that the update button with the update method
works and updates the user, the refresh action shows the "method is not allowed" error screen
and doesn't update the user(both as expected since update is defined in the allowed methods
and refresh isn't), but the back button DOES actually work even though it's not explicitly
defined in the global-allowed-methods section.

 

I'm trying to understand why out of 2 methods both not defined as allowed-methods, one is
correctly blocked  as "not allowed" while the other is still allowed through. If I add ",refresh"
to the global-allowed-methods and restart tomcat, the refresh button ends up working afterwards
as expected, and the back button stays functional. I don't use the plugin that adds the Allowed
Methods annotation, and this same situation also happens when using s:submits with method="back"
defined, even if there is already a method defined on the action entry in struts.xml.

Update: I have done some more testing, and it appears that another action with similar definition
but a different method (method:delete on an AntDeleteAction) also works without having to
explicitly define delete on the global allowed methods list.


> buttons with name="method:METHODNAME" sometimes ignore global-allowed-methods defined
in struts.xml
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WW-4918
>                 URL: https://issues.apache.org/jira/browse/WW-4918
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>            Reporter: Nate
>            Priority: Major
>
> I have the following action (slightly edited to remove identifying info):
> {code:xml}
> <action name="userEdit" class="struts2package.actions.user.UserEditAction">
>  <interceptor-ref name="defaultStack">
>  <!-- Exclude the dojo parameters, the displaytag sorting/paging parameters and the
resetSelectedVersion parameter-->
>  <param name="params.excludeParams">dojo\..*,struts\..*,d-\d+?-[sop],..*multiselect..*</param>
>  <param name="authorizationInterceptor.authorizationRole">globalAdmin</param>
>  </interceptor-ref>
>  <interceptor-ref name="token">
>  <param name="excludeMethods">input,back,refresh,cancel,browse</param>
>  </interceptor-ref>
>  <interceptor-ref name="struts2ActionErrorInterceptor"/>
>  <interceptor-ref name="struts1ErrorMessageInterceptor"/>
>  <result name="input">/jsp/user/userEdit.jsp</result>
>  <result name="error" type="redirectAction">
>  <param name="actionName">displayUserEdit.action</param>
>  </result>
>  <result name="redirectToUserOverview" type="redirectAction">
>  <param name="actionName">userOverviewRetained.action</param>
>  <param name="globalInfo">info.transaction_success</param>
>  </result>
>  <result name="success">/jsp/user/userEdit.jsp</result>
>  <result name="back" type="redirect">${backUrl}</result>
>  </action>
> {code}
> And the following global allowed methods:
> {code:xml}
> <global-allowed-methods>update,execute</global-allowed-methods>
> {code}
> And these buttons:
>  
> {code:xml}
> <div class="buttonRow">
>  <%-- The 'Save' button --%>
>  <input value="Save"
>  type="submit" class="button" name="method:update" />
> <%-- The 'Refresh' button --%>
>  <input value="Refresh"
>  type="submit" class="button" name="method:refresh"
>  id="refreshButton" />
> <%-- The 'Back' button --%>
>  <input value=Back"
>  type="submit" class="button" name="method:back" />
>  </div>
> {code}
>  
> As you can see, the update method is defined in the global-allowed-actions list, but
the refresh and back methods aren't. However, what happens is that the update button with
the update method works and updates the user, the refresh action shows the "method is not
allowed" error screen and doesn't update the user(both as expected since update is defined
in the allowed methods and refresh isn't), but the back button DOES actually work even though
it's not explicitly defined in the global-allowed-methods section.
>  
> I'm trying to understand why out of 2 methods both not defined as allowed-methods, one
is correctly blocked  as "not allowed" while the other is still allowed through. If I add
",refresh" to the global-allowed-methods and restart tomcat, the refresh button ends up working
afterwards as expected, and the back button stays functional. I don't use the plugin that
adds the Allowed Methods annotation, and this same situation also happens when using s:submits
with method="back" defined, even if there is already a method defined on the action entry
in struts.xml.
> Update: I have done some more testing, and it appears that another action with similar
definition but a different method (method:delete on an AntDeleteAction) also works without
having to explicitly define delete on the global allowed methods list.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message