You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2015/10/11 21:14:05 UTC
[jira] [Commented] (WW-4469) Avoid sending Struts text in HTTP
Response Headers
[ https://issues.apache.org/jira/browse/WW-4469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14952395#comment-14952395 ]
Lukasz Lenart commented on WW-4469:
-----------------------------------
To resolve the first issue just disable {{devMode}} - it's a developer's fault, {{devMode}} must be disabled when deploying an application to production servers.
http://struts.apache.org/docs/security.html#Security-DisabledevMode
Not sure what you want to achieve with improvement 2. You can use {{<default-action-ref/>}} and define {{Http404}} action which will show "404 - not found" message.
> Avoid sending Struts text in HTTP Response Headers
> --------------------------------------------------
>
> Key: WW-4469
> URL: https://issues.apache.org/jira/browse/WW-4469
> Project: Struts 2
> Issue Type: Improvement
> Affects Versions: 2.3.20
> Environment: Ubuntu 14.04 LST Server x64, JDK 8_31
> Reporter: NZa
> Fix For: 2.3.x
>
>
> In ticket WW-4085 a default-action-ref name was introduces which works fine in order to avoid messages like "There is no Action mapped for namespace [/config-browser] and action name [] associated with context path [/struts2-javatemplate].":
> {code:xml}
> <package name="/" extends="struts-default">
> <default-action-ref name="HelloWorld" />
> <action name="HelloWorld">
> <result type="redirectAction">
> <param name="actionName">HelloWorld</param>
> <param name="namespace">example</param>
> </result>
> </action>
> </package>
> {code}
> It is possible to also get messages like this:
> There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path [].
> Assuming we have the following configuration (this is in our example the one and only package):
> {code:xml}
> <package name="root" extends="struts-default" namespace="/">
> <default-action-ref name="HelloWorld" />
> <action name="HelloWorld">
> <result type="redirectAction">
> <param name="actionName">HelloWorld</param>
> <param name="namespace">example</param>
> </result>
> </action>
> </package>
> {code}
> Case 1: http://localhost:8080/asdasd
> This works as expected, our default-action-ref "HelloWorld" is called.
> Case 2: http://localhost:8080/asdasd/asdasdasd
> This works as expected, our default-action-ref "HelloWorld" is called.
> Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on
> Like Case 2...
> Case 2 and 3 will have a HTTP 404 response with the Struts error message.
> I believe it is a good idea to have something that is called by the Dispatcher in case namespace + action is not found.
> Improvement 1:
> Don't write typical Struts messages like "There is no Action mapped for namespace [/references/asdasd] and action name [asdasd] associated with context path []." into HTTP Header response fields if in PROD mode (it allows hackers to assume that the server is based on Struts, obfuscation is better...)
> Improvement 2:
> Allow maybe something like <default-not-found-action-ref name="Http404" /> similar to ticket WW-4085 to be in sync.
> I believe that the current workaround is something like this (which should also be documented better):
> {code:xml}
> <struts>
> <unknown-handler-stack>
> <unknown-handler-ref name="MyUnknownHandler1" />
> <unknown-handler-ref name="MyUnknownHandler2" />
> </unknown-handler-stack>
> </struts>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)