You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by John Boyer <jo...@rodaxsoft.com> on 2014/04/29 03:59:04 UTC
How to Resolve excludeParams Restriction when Upgrading to Struts 2.3.16.2
Hello:
I'm upgrading from Struts 2.3.4.1 to Struts 2.3.16.2. I've found that some of my actions no longer work due to the excludeParams restrictions.
For example, I get the following warning:
...ParametersInterceptor.warn:56 - Parameter [action:myExcludedAction] is on the excludeParams list of patterns!
It's unclear to me how to resolve this problem. The acceptableParameterName(String) method is not being called with the excluded parameter, so I'm too late in the workflow.
I'm using struts.xml to define the action workflow. How can I fix this problem?
-------
<action name="myExcludedAction" class="com.example.MyAction" method="myMethodToInvoke">
<result name="success">/WEB-INF/jsp/success.jsp</result>
</action>
-------
Thanks for your time.
John Boyer
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: How to Resolve excludeParams Restriction when Upgrading to Struts 2.3.16.2
Posted by Lukasz Lenart <lu...@apache.org>.
2014-04-29 3:59 GMT+02:00 John Boyer <jo...@rodaxsoft.com>:
> Hello:
>
> I'm upgrading from Struts 2.3.4.1 to Struts 2.3.16.2. I've found that some of my actions no longer work due to the excludeParams restrictions.
>
> For example, I get the following warning:
>
> ...ParametersInterceptor.warn:56 - Parameter [action:myExcludedAction] is on the excludeParams list of patterns!
>
> It's unclear to me how to resolve this problem. The acceptableParameterName(String) method is not being called with the excluded parameter, so I'm too late in the workflow.
>
> I'm using struts.xml to define the action workflow. How can I fix this problem?
>
> -------
>
> <action name="myExcludedAction" class="com.example.MyAction" method="myMethodToInvoke">
> <result name="success">/WEB-INF/jsp/success.jsp</result>
> </action>
>
> -------
Please refer to https://cwiki.apache.org/confluence/display/WW/S2-018
- your problem has nothing to do with Struts 2.3.16.2 - with Struts
2.3.15.3 "action:" prefix was disabled by default as it can lead to
bypassing url restrictions. You can enable it using constant defined
in S2-018. Also you should review how do you use <s:submit
action="..."/> to avoid potential security vulnerabilities (it looks
to me as you don't need action: prefix to work as you're mapping
action's method as a separated action).
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org