struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Regarding latest struts 2.3.x changes and issues with DMI and Wildcards
Date Wed, 29 Jan 2014 06:21:58 GMT
As from 2.3.15.2 action: prefix is disabled by default (this is how
<s:submit action="..."/> is rendered), to enable it you must add the
below constant to struts.properties or struts.xml:

### Disables support for action: prefix
struts.mapper.action.prefix.enabled = false


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2014-01-28 Manuel López Blasi <lopezblasi@conicet.gov.ar>:
> Hello,
> hi to everyone,
> i've been researching the last week all over the web in relation to the last
> 3 or 4 versions of struts 2.3.x,
> it is in my understanding that certain changes have been applied to the
> framework regarding security issues as
> mentioned in
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16
> security fixes from version 2.3.15.1, 2.3.15.2 , 2.3.15.3 and 2.3.16
>
> My organization is currently using struts version 2.1.8.1 , so far we've
> been able to call methods from an action class from jsp,
> executing directly the method specified in the submit tag of jsp, we're
> using stuff like this:
>
> <s:submit cssClass="CformBoton" action="registrarNovedad_registrar"
> value="Registrar"/>
> <s:submit cssClass="CformBoton" action="registrarNovedad_volver"
> value="Volver"/>
>
> where the action attribute specifies action="registrarNovedad_registrar"  ,
> that would be to call the action "registrarNovedad"
> and execute the method "registrar". Together with wildcard mappings,
> everything works beautyfully as expected, in this case we use:
> <action name="registrarNovedad_*" method="{1}"
> class="ar.gov.conicet.apps.sigerh.presentation.administrador.CRegistrarNovedadAction">
>
> Up to here everything is fine but now we're trying to migrate from version
> 2.1.8.1 to 2.3.16 and suddenly this kind of stuff stopped working.
> I've been trying to make it work, using as template the examples that come
> bundled with the last package available, struts 2.3.16, the proyect
> "struts2-blank",
> wich is about the smallest proyect one can concieve i think, so there're no
> doubts or mistakes of configuration or anything is else.
>
> For what i've been able to see the syntax for s:submit tag has changed? It
> doesn't react anymore to action="registrarNovedad_registrar"
> so that this doesn't work anymore: <s:submit cssClass="CformBoton"
> action="registrarNovedad_registrar" value="Registrar"/>
> instead i've been able to make it work with <s:submit
> name="method:registrar" value="Registrar"/> and proper configuration in
> struts.xml
> <constant name="struts.enable.DynamicMethodInvocation" value="true" />. It
> doesn't work with DynamicMethodInvocation set to false, it just doesn't fire
> up the method.
>
> I tried every possible combination of configurations, actionPRoxy
> interceptors, ActionMappers , retried with other combinations, changed
> acceptedParams and excludeParams in ParametersInterceptor
> and nothing seems to work.
>
> I'm a bit confused about Dynamic Method Invocation and Wildcards as i
> believe, since the documentation i have read, that those are 2 differente
> concepts/technologies.
> In our proyect we have
> <constant name="struts.enable.DynamicMethodInvocation" value="false" />
> in struts.xml and this works perfect:
> <s:submit cssClass="CformBoton" action="registrarNovedad_registrar"
> value="Registrar"/>
> by perfect i mean that if you click the button it will take you to the
> action and method specified en the action attribute.
> No luck on latest versions.
>
>
> So here's my question:
> Did the syntax of submit tag changed or has it been deprecated?
> (name="method:myMethod" VS. action="MyAction_MyMethod")
>
> is there some way i can make my project work with DynamicMethodInvocation
> set to false (turned off) using the same old syntax of submit tags and so
> that i can call a method directly from jsp?
>
> Judging by the looks of what i've been researching all these are changes
> related to security issues regarding Dynamic Method Invocation, i'm about to
> drop the update and keep with the old version
> as the impact of not being able to call method from jsp would be so huge in
> the proyect and would require a mayor rewrite of it, it's litterally
> impossible right now, u maybe somebody already got stuck
> with this very same issues and have clues or solutions to this.
>
> Thank you very much for your time,
> greetings to struts2 team for the great work and efforts.
>
> I hope somebody knows about this.
>
> Thanks a lot.
>
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message