behaves as if default namespace contains all actions
----------------------------------------------------
Key: WW-3228
URL: https://issues.apache.org/struts/browse/WW-3228
Project: Struts 2
Issue Type: Bug
Components: Core Actions
Affects Versions: 2.1.6
Environment: Vista
Tomcat 5.5
Java 1.5.0_08
Reporter: Andy Chapman
Priority: Minor
struts.xml as follows:
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts
Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd";>
<struts>
<package name="default" extends="struts-default" namespace="">
<action name="dummy">
<result>/WEB-INF/jsp/dummy.jsp</result>
</action>
</package>
<package name="wibble" extends="struts-default" namespace="/specific">
<action name="bar">
<results>/WEB-INF/jsp/specific.jsp</result>
</action>
</package>
</struts>
Browsing results:
http://mydomain/specific/bar.action gives specific.jsp
http://mydomain/randomcombinationofletters/bar.action it also gives
specific.jsp
I could understand this happening if there was a bar action in the default
namespace but when there isn't it seems wrong. It causes problems when security
is set up by namespaces as someone can just craft a namespace to avoid the
security rules.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
