struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jasper Rosenberg (JIRA)" <>
Subject [jira] [Updated] (WW-4172) deleteing
Date Wed, 07 Aug 2013 18:04:51 GMT


Jasper Rosenberg updated WW-4172:

    Description: deleting  (was: Let's say you have the following mappings:

    <package name="securityTest" namespace="/securitytest" extends="default">
      <action name="secureAction">
      <action name="insecureAction">

Then suppose you are using url pattern based security such as with Spring Security, and require
login to view secureAction.action:

<http use-expressions="true">
    <intercept-url pattern="/securitytest/insecureAction.action" access="permitAll"/>
    <intercept-url pattern="/securitytest/secureAction.action" access="isAuthenticated"/>
    <form-login />

1. http://localhost/securitytest/insecureAction.action
	Shows the insecure content

2. http://localhost/securitytest/secureAction.action
	Requires login before displaying secure content

3. http://localhost/securitytest/insecureAction.action?action:secureAction
	Whoops, there's the secure content without login!

I believe this is only a problem if you are hosting the secure and insecure actions in the
same namespace.

Obviously, this is not directly a Struts2 issue, but I'm sure that many sites are using url
based security and Struts2 together.  At the very least, it might be good to provide an easy
way to disable support for the "action:" parameter prefix.  For now I just extended the DefaultActionMapper,
and overwrote the value of prefixTrie to be empty.
    Environment: deleting  (was: Spring Security)
         Labels:   (was: security)
        Summary: deleteing  (was: "action:" parameter prefix can be used to access url secured
> deleteing
> ---------
>                 Key: WW-4172
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Other
>    Affects Versions:
>         Environment: deleting
>            Reporter: Jasper Rosenberg
>            Priority: Blocker
> deleting

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message