struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krassen Deltchev" <>
Subject security impact after enabling back the "action:" prefix in Struts
Date Wed, 20 Nov 2013 03:33:48 GMT
Dear Struts2 mailing list,

i have the following question(s)/ i need the following advice:
by default the "action:" prefix is set to false in Struts2 v2.3.15.3 as to:
for security reasons,
but i need to set it back to true(i.e. the
struts.mapper.action.prefix.enabled) because my actions do not work
after the library update and if i decide to go another way to solve this
issue, i need to do a lot of refactoring on my code;
So my question is:
if i enable the "action:" prefix, does it mean that, i automatically
compromise/expose my application to the security issues discussed in
s2-16, s2-17 and s2-18?
Is there a workaround for my scenario, that i can enable the prefix, but
still maintain the security level of my application considering the
enumerated above issues?(can i achieve better results if i tweak
properly the struts.mapper.action.prefix.crossNamespaces)

many thanks for your opinions and support!



Krassen Deltchev
M.Sc. Applied Computer Science, Ruhr-University of Bochum
LPIC I!/test2v

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message