Don't set result jsp file in request parameter on redirect after POST
----------------------------------------------------------------------
Key: WW-2052
URL: https://issues.apache.org/struts/browse/WW-2052
Project: Struts 2
Issue Type: Improvement
Components: Portlet Integration
Affects Versions: 2.0.8
Environment: JBoss Portal 2.6.0-CR3
Reporter: Hubert Grininger
I have a form with method=POST.
After sending the form, Struts2 does a redirect after POST (which is fine), but
the URL used for redirecting now contains the paramater *location* whose value
is the full path of the JSP file, eg:
http://localhost:8080/portal/portal/default/MyPortletTutorial/MyPortletWindow?action=2&objectId=&struts.portlet.mode=view&location=%2FWEB-INF%2Fpages%2Fview%2FhelloWorld.jsp&struts.portlet.eventAction=true&struts.portlet.action=renderDirect
It's not a bug but the jsp file's name is a kind of "secret" information which
I don't to disclose to everybody.
Additionally this could be a security problem because now you can use the
location property for selecting a JSP (I'm not quiete sure if this is a
problem, but it doesn't sound comfortable :-) ).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
