struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manuel López Blasi <lopezbl...@conicet.gov.ar>
Subject Regarding latest struts 2.3.x changes and issues with DMI and Wildcards
Date Tue, 28 Jan 2014 18:54:01 GMT
Hello,
hi to everyone,
i've been researching the last week all over the web in relation to the 
last 3 or 4 versions of struts 2.3.x,
it is in my understanding that certain changes have been applied to the 
framework regarding security issues as
mentioned in 
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16
security fixes from version 2.3.15.1, 2.3.15.2 , 2.3.15.3 and 2.3.16

My organization is currently using struts version 2.1.8.1 , so far we've 
been able to call methods from an action class from jsp,
executing directly the method specified in the submit tag of jsp, we're 
using stuff like this:

<s:submit cssClass="CformBoton" action="registrarNovedad_registrar" 
value="Registrar"/>
<s:submit cssClass="CformBoton" action="registrarNovedad_volver" 
value="Volver"/>

where the action attribute specifies 
action="registrarNovedad_registrar"  , that would be to call the action 
"registrarNovedad"
and execute the method "registrar". Together with wildcard mappings, 
everything works beautyfully as expected, in this case we use:
<action name="registrarNovedad_*" method="{1}" 
class="ar.gov.conicet.apps.sigerh.presentation.administrador.CRegistrarNovedadAction">

Up to here everything is fine but now we're trying to migrate from 
version 2.1.8.1 to 2.3.16 and suddenly this kind of stuff stopped working.
I've been trying to make it work, using as template the examples that 
come bundled with the last package available, struts 2.3.16, the proyect 
"struts2-blank",
wich is about the smallest proyect one can concieve i think, so there're 
no doubts or mistakes of configuration or anything is else.

For what i've been able to see the syntax for s:submit tag has changed? 
It doesn't react anymore to action="registrarNovedad_registrar"
so that this doesn't work anymore: <s:submit cssClass="CformBoton" 
action="registrarNovedad_registrar" value="Registrar"/>
instead i've been able to make it work with <s:submit 
name="method:registrar" value="Registrar"/> and proper configuration in 
struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="true" />. 
It doesn't work with DynamicMethodInvocation set to false, it just 
doesn't fire up the method.

I tried every possible combination of configurations, actionPRoxy 
interceptors, ActionMappers , retried with other combinations, changed 
acceptedParams and excludeParams in ParametersInterceptor
and nothing seems to work.

I'm a bit confused about Dynamic Method Invocation and Wildcards as i 
believe, since the documentation i have read, that those are 2 
differente concepts/technologies.
In our proyect we have
<constant name="struts.enable.DynamicMethodInvocation" value="false" />
in struts.xml and this works perfect:
<s:submit cssClass="CformBoton" action="registrarNovedad_registrar" 
value="Registrar"/>
by perfect i mean that if you click the button it will take you to the 
action and method specified en the action attribute.
No luck on latest versions.


So here's my question:
Did the syntax of submit tag changed or has it been deprecated? 
(name="method:myMethod" VS. action="MyAction_MyMethod")

is there some way i can make my project work with 
DynamicMethodInvocation set to false (turned off) using the same old 
syntax of submit tags and so that i can call a method directly from jsp?

Judging by the looks of what i've been researching all these are changes 
related to security issues regarding Dynamic Method Invocation, i'm 
about to drop the update and keep with the old version
as the impact of not being able to call method from jsp would be so huge 
in the proyect and would require a mayor rewrite of it, it's litterally 
impossible right now, u maybe somebody already got stuck
with this very same issues and have clues or solutions to this.

Thank you very much for your time,
greetings to struts2 team for the great work and efforts.

I hope somebody knows about this.

Thanks a lot.






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message