You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Andy Chapman (JIRA)" <ji...@apache.org> on 2009/08/22 13:19:00 UTC
[jira] Work stopped: (WW-3228) behaves as if default namespace
contains all actions
[ https://issues.apache.org/struts/browse/WW-3228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on WW-3228 stopped by Andy Chapman.
> behaves as if default namespace contains all actions
> ----------------------------------------------------
>
> Key: WW-3228
> URL: https://issues.apache.org/struts/browse/WW-3228
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: Vista
> Tomcat 5.5
> Java 1.5.0_08
> Reporter: Andy Chapman
> Assignee: Andy Chapman
> Priority: Minor
>
> struts.xml as follows:
> <!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd">
> <struts>
> <package name="default" extends="struts-default" namespace="">
> <action name="dummy">
> <result>/WEB-INF/jsp/dummy.jsp</result>
> </action>
> </package>
> <package name="wibble" extends="struts-default" namespace="/specific">
> <action name="bar">
> <results>/WEB-INF/jsp/specific.jsp</result>
> </action>
> </package>
> </struts>
> Browsing results:
> http://mydomain/specific/bar.action gives specific.jsp
> http://mydomain/randomcombinationofletters/bar.action it also gives specific.jsp
> I could understand this happening if there was a bar action in the default namespace but when there isn't it seems wrong. It causes problems when security is set up by namespaces as someone can just craft a namespace to avoid the security rules.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.