You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Jasper Rosenberg (JIRA)" <ji...@apache.org> on 2013/08/07 20:04:48 UTC
[jira] [Created] (WW-4172) "action:" parameter prefix can be used
to access url secured content
Jasper Rosenberg created WW-4172:
------------------------------------
Summary: "action:" parameter prefix can be used to access url secured content
Key: WW-4172
URL: https://issues.apache.org/jira/browse/WW-4172
Project: Struts 2
Issue Type: Bug
Components: Other
Affects Versions: 2.3.15.1
Environment: Spring Security
Reporter: Jasper Rosenberg
Priority: Blocker
Let's say you have the following mappings:
{code:xml}
<package name="securityTest" namespace="/securitytest" extends="default">
<action name="secureAction">
<result>secure.ftl</result>
</action>
<action name="insecureAction">
<result>insecure.ftl</result>
</action>
</package>
{code}
Then suppose you are using url pattern based security such as with Spring Security, and require login to view secureAction.action:
{code:xml}
<http use-expressions="true">
<intercept-url pattern="/securitytest/insecureAction.action" access="permitAll"/>
<intercept-url pattern="/securitytest/secureAction.action" access="isAuthenticated"/>
<form-login />
</http>
{code}
Now:
1. http://localhost/securitytest/insecureAction.action
Shows the insecure content
2. http://localhost/securitytest/secureAction.action
Requires login before displaying secure content
3. http://localhost/securitytest/insecureAction.action?action:secureAction
Whoops, there's the secure content without login!
I believe this is only a problem if you are hosting the secure and insecure actions in the same namespace.
Obviously, this is not directly a Struts2 issue, but I'm sure that many sites are using url based security and Struts2 together. At the very least, it might be good to provide an easy way to disable support for the "action:" parameter prefix. For now I just extended the DefaultActionMapper, and overwrote the value of prefixTrie to be empty.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira