[jira] Commented: (WW-2052) Don't set result jsp file in request parameter on redirect after POST

Tue, 24 Jul 2007 00:14:27 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41631
 ] 

Nils-Helge Garli commented on WW-2052:
--------------------------------------

I agree this is not optimal, and should be fixed. But I think this occurs only 
if you have not defined a view action which is processed after the post. The 
POST is processed in the "event" phase, but the resulting view is rendered in 
the "render" phase. So if the POST action does not specify a new action as 
result, default processing is simply to dispatch to the JSP in the render 
phase. You can work around this by having your action processing the form 
specify a new action as the result, something like:

<result name="success">/displayCart.action?userId=${userId}</result>

There's a tiny bit of information about this here: 
http://cwiki.apache.org/WW/portlet-configuration.html

> Don't set result jsp file in request parameter on redirect after POST 
> ----------------------------------------------------------------------
>
>                 Key: WW-2052
>                 URL: https://issues.apache.org/struts/browse/WW-2052
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Portlet Integration
>    Affects Versions: 2.0.8
>         Environment: JBoss Portal 2.6.0-CR3
>            Reporter: Hubert Grininger
>
> I have a form with method=POST.
> After sending the form, Struts2 does a redirect after POST (which is fine), 
> but the URL used for redirecting now contains the paramater *location* whose 
> value is the full path of the JSP file, eg: 
> http://localhost:8080/portal/portal/default/MyPortletTutorial/MyPortletWindow?action=2&objectId=&struts.portlet.mode=view&location=%2FWEB-INF%2Fpages%2Fview%2FhelloWorld.jsp&struts.portlet.eventAction=true&struts.portlet.action=renderDirect
> It's not a bug but the jsp file's name is a kind of "secret" information 
> which I don't want to disclose to everybody.
> Additionally this could be a security problem because now you can use the 
> location property for selecting a JSP (I'm not quiete sure if this is a 
> problem, but it doesn't sound comfortable :-) ).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to