[jira] Commented: (WW-2052) Don't set result jsp file in request parameter on redirect after POST

Tue, 24 Jul 2007 04:36:27 -0700 

    [ 
https://issues.apache.org/struts/browse/WW-2052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_41633
 ] 

Hubert Grininger commented on WW-2052:
--------------------------------------

Thanks for your comment, but the solution doesn't seem to work.

<result name="success">/displayCart.action?userId=${userId}</result> 

Why should this work at all? Mustn't one set this as type="chain" (at least it 
doesnt' work for me).

I tried this:

<result name="success" type="chain">displayCart</result>

.. which resulted in the same behaviour to include the displayCart's jsp file 
in the request params.


So, still no solution for this problem .... 

I think the following link should be removed/corrected/completed, because the 
info is erroneous or at least not complete: 
http://cwiki.apache.org/WW/portlet-configuration.html

> Don't set result jsp file in request parameter on redirect after POST 
> ----------------------------------------------------------------------
>
>                 Key: WW-2052
>                 URL: https://issues.apache.org/struts/browse/WW-2052
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Portlet Integration
>    Affects Versions: 2.0.8
>         Environment: JBoss Portal 2.6.0-CR3
>            Reporter: Hubert Grininger
>
> I have a form with method=POST.
> After sending the form, Struts2 does a redirect after POST (which is fine), 
> but the URL used for redirecting now contains the paramater *location* whose 
> value is the full path of the JSP file, eg: 
> http://localhost:8080/portal/portal/default/MyPortletTutorial/MyPortletWindow?action=2&objectId=&struts.portlet.mode=view&location=%2FWEB-INF%2Fpages%2Fview%2FhelloWorld.jsp&struts.portlet.eventAction=true&struts.portlet.action=renderDirect
> It's not a bug but the jsp file's name is a kind of "secret" information 
> which I don't want to disclose to everybody.
> Additionally this could be a security problem because now you can use the 
> location property for selecting a JSP (I'm not quiete sure if this is a 
> problem, but it doesn't sound comfortable :-) ).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to